Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Ransomware Found Targeting Linux Servers and Coding Repositories

  • Please log in to reply
1 reply to this topic

#1 Dazzzler


  • Banned Spammer
  • 45 posts
  • Gender:Male
  • Local time:10:58 AM

Posted 07 November 2015 - 07:10 AM

A newly discovered ransomware is attacking Linux Web servers, taking aim at Web development environments used to host websites or code repositories.

Russian antivirus maker Dr.Web came across this malware and said that the ransomware needs root privileges to work. Additionally, the company also says it does not yet know how the ransomware infects computers, but taking into account previous Linux-based malware infections, the main culprit may be an open SSH port with weak credentials

The ransomware uses AES encryption to lock down files

As for its modus operandi, when the ransomware launches, it starts to download the ransom message, and then a file containing the public RSA key. The latter key is then used to store AES keys used to encrypt the local files.

When this happens, the ransomware adds the .encrypt extension to each file and places a ransom text message in each folder where it encrypts data.

The ransomware has a taste for Web pages and their associated file extension

The malware specifically targets files in folders that are generally found in Linux Web server setups, or in coding and development environments.

This includes directories like /home, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2, /var/log, and any directory that includes terms like git, svn, webapp, www, public_html, or backup.

The ransomware also looks for files that have extensions specific to Web development environments like .js, .css, .properties, .xml, .ruby, .php, .html, .gz, .asp, and such. Other file extensions known to host data are also covered (.rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, .jpg, etc.).

Dr.Web detects the ransomware as Linux.Encoder.1. After careful analysis, the company said that Linux.Encoder.1 is coded in C and also uses the PolarSSL library.

Source : http://news.softpedia.com/news/ransomware-found-targetting-linux-servers-and-coding-repositories-495836.shtml


BC AdBot (Login to Remove)


#2 buddy215


  • Moderator
  • 13,496 posts
  • Gender:Male
  • Location:West Tennessee
  • Local time:11:28 PM

Posted 07 November 2015 - 08:18 AM

Home users of Linux distros reading the above should not be concerned about being a victim of the above reported malware IF

you are not running as ROOT and are not allowing REMOTE CONNECTION to your desktop. Remote connection is not allowed by

default in popular Linux distros such as Ubuntu. If you are not sure your particular Linux distro is allowing remote connection to your

desktop then you should confirm it isn't if you don't need to access your computer remotely. 


I should probably mention that securing your router is very important, too. If you haven't changed the default password and blocked

remote connection if unneeded.....that should be done, too. While in the router settings...check for firmware update, too.

Edited by buddy215, 07 November 2015 - 08:28 AM.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users