How to simply better Linux Encoder ransomware
First things first. Linux.Encoder.1, a “Linux” crypto-ransomware, is not a Linux confidence hole. This malware relies on a confidence hole in a Magento web e-commerce platform, not Linux.
If we use Magento and haven’t patched it given Feb 9, 2015 — approbation it’s been that prolonged — then, and usually then, are we vulnerable. Otherwise, your site can’t presumably get Linux.Encoder.1.
The Magento conflict resembles ransomware programs such as Windows’ CryptoWall and TorLocker. They encrypt your files and afterwards direct remuneration for a pivotal to clear your documents.
Let’s contend we do use Magento and we were ridiculous adequate to leave an e-commerce height unpatched for over half a year. Patch it. Patch it now.
The ransomware guide: insurance and eradication
If you’re staring during your server in fear and distant too many of your files are encrypted by an assailant and your directories all have a record entitled “README_FOR_DECRYPT.txt,” congratulations, you’ve got it. It appears that about 2,700 red-faced website administrators have Linux.Encoder on their servers.
The good news is it’s easy to get absolved of. You could, of course,
compensate a release price of one Bitcon, $325 during a moment. we do not suggest we do this. Besides usually enlivening ransomware programmers, a crook’s repair doesn’t work well. Security consultant Brian Krebs reports that one complement director who paid up, got his files behind but, a “decryption book that puts a information back … somehow … ate some characters in a few files, adding like a comma or an additional space … to a file.”
So, we don’t caring how unfortunate we are, profitable a release is a reticent move.
You can also have Dr. Web, a Russian confidence company, that detected Linux.Encoder, try to recover your files for you. This use is usually accessible to Dr. Web blurb programs subscribers. These programs are Dr. Web Security Space or Dr. Web Enterprise Security Suite.
Or, we can what we recommend, and usually impulse open your files yourself.
You see a would-be cyber-criminals finished a elemental mistake. Their encryption process uses a inadequate doing of Advanced Encryption Standard (AES) to beget a encryption key. Specifically, as a anti-virus association Bitdefender reported, a “AES pivotal is generated locally on a victim’s computer. … rather than generating secure pointless keys and IVs [initialization vector], a representation would get these dual pieces of information from a libc rand() duty seeded with a stream complement time-stamp during a impulse of encryption. This information can be simply retrieved by looking during a file’s time-stamp.”
Armed with this, it’s pardonable — well, for encryption experts — to find a pivotal we need to revive your files. Since many of we don’t know your AES from your Playfair, Bitdefender is charity a free Python 2.7 book to obtain a Linux.Encoder pivotal and IV for your containinated server.
Here’s how to use it.
If we can foot your compromised server, download a script, and run it as base . If we can’t boot, download and decompress a record to a Linux live USB stick. For this job, we suggest a SystemRescueCDLinux distribution.
Then, mountain a encrypted assign regulating a bombard authority :
mountain /dev/[encrypted_partition]
Generate a list of encrypted files with a following command:
/mnt# sort_files.sh encrypted_partition sorted_list
Issue a conduct authority to get a initial file:
/mnt# conduct -1 sorted_list
Run a decryption application to get a encryption seed:
/mnt# python decrypter.py -f [first_file]
Decrypt all a other putrescent files regulating a displayed seed:
/mnt# python /tmp/new/decrypter.py -s [time-stamp.] -l sorted_list
Not gentle with a Linux shell? Get someone who is a Linux consultant to assistance you.
Bitdefender is also, really generously, charity to assistance users with giveaway support from their web site. Go to a bottom of a page to find a form.
Finally, and always: Update your program always. If everybody had simply finished this that alone would have stopped Linux.Encoder in a tracks.