If you're staring at your server in horror and far too many of your files are encrypted by an attacker and your directories all have a file entitled "README_FOR_DECRYPT.txt," congratulations, you've got it. It appears that about 2,700 red-faced website administrators have Linux.Encoder on their servers.
The good news is it's easy to get rid of.
You could, of course, pay the ransom fee of one Bitcoin, $325 at the moment. I do not recommend you do this. Besides just encouraging ransomware programmers, the crook's fix doesn't work well. Security expert Brian Krebs reports that one system administrator who paid up, got his files back but, the "decryption script that puts the data back ... somehow ... ate some characters in a few files, adding like a comma or an extra space ... to the file."
So, I don't care how desperate you are, paying the ransom is a dumb move.
Or, you can what I recommend, and just crack open your files yourself.
You see the would-be cyber-criminals made a fundamental mistake. Their encryption method uses a faulty implementation of Advanced Encryption Standard (AES) to generate the encryption key. Specifically, as the anti-virus company Bitdefender reported, the "AES key is generated locally on the victim's computer. ... rather than generating secure random keys and IVs [initialization vector], the sample would derive these two pieces of information from the libc rand() function seeded with the current system time-stamp at the moment of encryption. This information can be easily retrieved by looking at the file's time-stamp."
If you can boot your compromised server, download the script, and run it as root . If you can't boot, download and decompress the file to a Linux live USB stick. For this job, I recommend the SystemRescueCD Linux distribution.
Then, mount the encrypted partition using the shell command :
Generate a list of encrypted files with the following command: