14 DAY TRIAL // Malware analysts from Bitdefender have come across an older version of the Linux.Encoder.1 ransomware, which they've manage to decrypt with the help of some voodoo magic.
Linux.Encoder.1 is a recently discovered ransomware family that targets Linux computers and goes after data usually found in Web hosting environments and source code repositories.
The ransomware is spread via outdated websites, where attackers compromise servers via known vulnerabilities. Most infections occur on WordPress and Magento websites, and at the moment of writing this article, over 3,000 infected sites can be discovered via a simple Google query.
Romanian-based security vendor Bitdefender was the first company to find flaws in the ransomware's encryption and provide a decryption tool for Linux.Encoder.1. It was followed a week later by Dr.Web, the company that came across the ransomware, but their tool is only provided to their paying customers alone.
Meet Linux.Encoder.0, Linux.Encoder.1's older brother
As Bitdefender is reporting today, this decryption tool was not entirely successful. Their staff was immediately confronted with cases where the tool didn't work.
The reason behind these issues was that the tool was executed against files that were encrypted with an earlier version of the ransomware. Bitdefender's team named this ransomware Linux.Encoder.0, and quickly set out to find a way to crack its encryption.
This task fell to Radu Caragea, one of the company's vulnerability researchers, but also one of its cryptography experts. Mr. Caragea went through numerous encryption and decryption methods, and in the end, he managed to discover its secret, revealing the original algorithm used to encrypt the data. He pulled all this off, just by looking at 5 encrypted files, and no malware sample to analyze. Voodoo magic, as we said.
"Decryption can be done even without the exact infection sample. Lots of leaps of faith and educated guesses are required," explains Mr. Caragea. "Never leave crypto to amateurs. You either know what you're doing or you fail tragically. This is one of the few cases where bad crypto is actually good."
Linux.Encoder.0 made only $7,000 from infected machines
According to Mr. Caragea, Linux.Encoder.0 had a short lifespan, was active in August 2015, and by looking at the Bitcoin address where payments were sent, only seven people paid the ransom.
The Bitcoin wallet was cashed out on November 10, and taking into account that the ransom was 4.6 Bitcoins (~$1,000) per infection, the criminals only made ~$7,000 from their efforts.