14 DAY TRIAL // There have been three major ransomware-related pieces of news in the past week: the launch of CryptoWall 4.0, the Linux.Encoder.1 ransomware targeting Web servers and coding repositories, and the stupid ransomware that hijacked files and threw away the encryption key. The score is now: Bitdefender - 2, Ransomware - 1.
After yesterday the company released an updated version of their CryptoWall Vaccine that allows users to prevent CryptoWall 4.0 infections, last night, the company also managed to find a way to deal with Linux.Encoder.1 infections.
To better understand what Bitdefender's security researchers discovered, a short intro to how this particular ransomware works is needed.
For each file it encrypts, Linux.Encoder.1 uses an AES symmetric key, meaning the same key for encryption and decryption operations. This particular type of encryption algorithm is low on system resources and allows the ransomware to encrypt big files without taking too much time and hoarding local CPU and memory.
Once the file is encrypted using the AES key, to avoid this key from being cracked, the ransomware also encrypts it, but using an RSA asymmetric key, meaning a different key for encryption and decryption operations. This type of encryption requires more resources and time to crack but works fast enough when dealing with small tidbits of data.
While AES encryption takes place locally, the RSA keys are generated on the C&C server, with one (private) key being stored on the hacker's server, and the other (public key) sent to the victim to encrypt the AES key.
Linux.Encoder.1 comes with a major flaw in its encryption process
According to Bitdefender's team, they have identified a flaw in how the ransomware operates.
"We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption," says Bitdefender's Bogdan Botezatu.
This allowed the Bitdefender team to look at the encrypted file's timestamp information, pass it through the libc rand() function and obtain the AES encryption key used by the Linux.Encoder.1 ransomware. As we mentioned above, AES is a symmetric key, and thus the same key obtained above can also be used to decrypt files.
Bitdefender has created a decryption tool that automates this entire process, which it is offering for free, along with installation instructions.