​How to easily defeat Linux Encoder ransomware

For all the attention Linux.Encoder.1 ransomware has gotten, a lot of people seem to be missing that it's easy to fix. Here's how to do it.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

First things first. Linux.Encoder.1, the "Linux" crypto-ransomware, is not a Linux security hole. This malware relies on a security hole in the Magento web e-commerce platform, not Linux.

If you use Magento and haven't patched it since February 9, 2015 -- yes it's been that long -- then, and only then, are you vulnerable. Otherwise, your site can't possibly get Linux.Encoder.1.

The Magento attack resembles ransomware programs such as Windows' CryptoWall and TorLocker. They encrypt your files and then demand payment for the key to unlock your documents.

Let's say you do use Magento and you were foolish enough to leave an e-commerce platform unpatched for over half a year. Patch it. Patch it now.

The ransomware guide: protection and eradication

If you're staring at your server in horror and far too many of your files are encrypted by an attacker and your directories all have a file entitled "README_FOR_DECRYPT.txt," congratulations, you've got it. It appears that about 2,700 red-faced website administrators have Linux.Encoder on their servers.

The good news is it's easy to get rid of.

You could, of course, pay the ransom fee of one Bitcoin, $325 at the moment. I do not recommend you do this. Besides just encouraging ransomware programmers, the crook's fix doesn't work well. Security expert Brian Krebs reports that one system administrator who paid up, got his files back but, the "decryption script that puts the data back ... somehow ... ate some characters in a few files, adding like a comma or an extra space ... to the file."

So, I don't care how desperate you are, paying the ransom is a dumb move.

You can also have Dr. Web, the Russian security company, that discovered Linux.Encoder, try to recover your files for you. This service is only available to Dr. Web commercial programs subscribers. These programs are Dr. Web Security Space or Dr. Web Enterprise Security Suite.

Or, you can what I recommend, and just crack open your files yourself.

You see the would-be cyber-criminals made a fundamental mistake. Their encryption method uses a faulty implementation of Advanced Encryption Standard (AES) to generate the encryption key. Specifically, as the anti-virus company Bitdefender reported, the "AES key is generated locally on the victim's computer. ... rather than generating secure random keys and IVs [initialization vector], the sample would derive these two pieces of information from the libc rand() function seeded with the current system time-stamp at the moment of encryption. This information can be easily retrieved by looking at the file's time-stamp."

Armed with this, it's trivial -- well, for encryption experts -- to find the key you need to restore your files. Since most of you don't know your AES from your Playfair, Bitdefender is offering a free Python 2.7 script to obtain the Linux.Encoder key and IV for your containinated server.

Here's how to use it.

If you can boot your compromised server, download the script, and run it as root . If you can't boot, download and decompress the file to a Linux live USB stick. For this job, I recommend the SystemRescueCD Linux distribution.

Then, mount the encrypted partition using the shell command :

mount /dev/[encrypted_partition]

Generate a list of encrypted files with the following command:

/mnt# sort_files.sh encrypted_partition > sorted_list

Issue a head command to get the first file:

/mnt# head -1 sorted_list

Run the decryption utility to get the encryption seed:

/mnt# python decrypter.py -f [first_file]

Decrypt all the other infected files using the displayed seed:

/mnt# python /tmp/new/decrypter.py -s [time-stamp.] -l sorted_list

Not comfortable with the Linux shell? Get someone who is a Linux expert to help you.

Bitdefender is also, very generously, offering to help users with free support from their web site. Go to the bottom of the page to find the form.

Finally, and always: Update your software always. If everyone had simply done this that alone would have stopped Linux.Encoder in its tracks.

Related Stories:

Editorial standards