Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Linux Ransomware targeting Servers and Threatening Webmasters to Pay


  • Please log in to reply
46 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:04:30 AM

Posted 09 November 2015 - 03:52 PM

 

Since past few years, Ransomware has emerged as one of the catastrophic malware programs that lets hacker encrypts all the contents of a victim's hard drive or/and server and demands ransom (typically to be paid in Bitcoin) in exchange for a key to decrypt it.
 
Until now cyber criminals were targeting computers, smartphones and tablets, but now it appears they are creating ransomware that makes the same impact but for Web Sites – specifically holding files, pages and images of the target website for Ransom.
 
Dubbed Linux.Encoder.1 by Russian antivirus firm Dr.Web, the new strain of ransomware targets Linux-powered websites and servers by encrypting MySQL, Apache, and home/root folders associated with the target site and asking for 1 Bitcoin (~ $300) to decrypt the files.
 
 
 

The ransomware threat is delivered to the target website through known vulnerabilities in website plugins or third-party software.
Linux Ransomware targeting Servers and Threatening Webmasters to Pay

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 10 November 2015 - 08:48 AM

Good news! The authors behind that Cryptoware made an error in the code and Bitdefender managed to find the flaw, allowing you to grab the private key and decrypt your files for free.

For more information about this and the decryption tool, you can visit the article on Bitdefender's blog below.

http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 DeimosChaos

DeimosChaos

  • BC Advisor
  • 1,420 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United States, Delaware
  • Local time:02:30 PM

Posted 10 November 2015 - 11:00 AM

Good news! The authors behind that Cryptoware made an error in the code and Bitdefender managed to find the flaw, allowing you to grab the private key and decrypt your files for free.

For more information about this and the decryption tool, you can visit the article on Bitdefender's blog below.

http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

Awesome stuff! Gotta love it when the bad guys screw up!


OS - Ubuntu 14.04/16.04 & Windows 10
Custom Desktop PC / Lenovo Y580 / Sager NP8258 / Dell XPS 13 (9350)
_____________________________________________________
Bachelor of Science in Computing Security from Drexel University
Security +


#4 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:30 PM

Posted 10 November 2015 - 03:46 PM

Give it two seconds before a fix is published.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#5 SuperSapien64

SuperSapien64

  • Members
  • 892 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 10 November 2015 - 10:35 PM

I wonder if it's a matter of time before they try targeting Linux home users?



#6 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:30 PM

Posted 10 November 2015 - 10:52 PM

Nah not enough users on the desktop market.

Its actually a brilliant tactic to try to cripple linux servers though due to the amount of servers using Linux but flawed in the fact this is linux not windows


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#7 SuperSapien64

SuperSapien64

  • Members
  • 892 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:30 PM

Posted 10 November 2015 - 11:10 PM

Nah not enough users on the desktop market.

Its actually a brilliant tactic to try to cripple linux servers though due to the amount of servers using Linux but flawed in the fact this is linux not windows

Maybe will see a Linux server version of Malwarebytes eventually.



#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 November 2015 - 06:25 AM

Nah not enough users on the desktop market.
Its actually a brilliant tactic to try to cripple linux servers though due to the amount of servers using Linux but flawed in the fact this is linux not windows


Windows Cryptoware also had flaws at some point. Once the author realize it and adjusts it, then it'll become harder. This is a code implementation error, and it didn't happen solely because the target OS was Linux distros.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:30 PM

Posted 11 November 2015 - 06:59 AM

 

Nah not enough users on the desktop market.
Its actually a brilliant tactic to try to cripple linux servers though due to the amount of servers using Linux but flawed in the fact this is linux not windows


Windows Cryptoware also had flaws at some point. Once the author realize it and adjusts it, then it'll become harder. This is a code implementation error, and it didn't happen solely because the target OS was Linux distros.

 

 

Well no OS is bulletproof, however the advantage of Linux is that holes can be patched much faster then on windows.

Sure exceptions happen and old code can go un noticed (as seen in the bash issue not so long ago) but once the issue can be detected it can be fixed.

Linux is also a community of hackers and crackers working on the side of good, even if the people who made this code corrected themselves the linux coding community can easily see what they are doing with visualization.

This sort of thing can happen yes but unlike Windows you can be sure the linux developers will fire something that can take this kind of thing down


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 November 2015 - 07:41 AM

Well no OS is bulletproof, however the advantage of Linux is that holes can be patched much faster then on windows.


The hole here wasn't in Linux, but in the Cryptoware, so I don't understand what your point is. Like I said, some Cryptoware on Windows had flaws as well, just like this one on Linux. The hole wasn't in Windows, but in the Cryptoware and once it gets patched, you can be sure that Linux server owners will be affected and will have to pay the ransom.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 mremski

mremski

  • Members
  • 493 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NH
  • Local time:02:30 PM

Posted 11 November 2015 - 08:20 AM

The hole wasn't in the Linux Kernel, but in applications.   This may seem like semantic differences, but it's important.  Especially if you are running a public facing server.  Start with the OpenBSD philosophy:  default deny everything.  That way you are completely in control of what is turned on.  Yes, it is a big PITA in the beginning, but if you running a public facing HTTP server, would you actually turn anoymous FTP on?  Things get muddled very quickly when you blindly add "must haves" to make a web page full of pretty blinking/spinning/colorized stuff. 

 

Bottom line:

If you are running a public facing server of any kind, you must stay on top of security notices for the base OS, all applications (plus any plugins).  Jails and chroot are your friends as are read only filesystems and checksums of important files/directories/partitions.

 

You can't just set it up and walk away, you have to stay involved.

 

My opinions only feel free to disagree


FreeBSD since 3.3, only time I touch Windows is to fix my wife's computer


#12 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:30 PM

Posted 11 November 2015 - 08:53 AM

 

Well no OS is bulletproof, however the advantage of Linux is that holes can be patched much faster then on windows.


The hole here wasn't in Linux, but in the Cryptoware, so I don't understand what your point is. Like I said, some Cryptoware on Windows had flaws as well, just like this one on Linux. The hole wasn't in Windows, but in the Cryptoware and once it gets patched, you can be sure that Linux server owners will be affected and will have to pay the ransom.

 

 

I wasnt just referring to the kernel, a lot of things in the linux world can be easily protected against stuff like this.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#13 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 November 2015 - 09:18 AM

Why do you keep on talking about Linux? I'm referring to the Cryptoware here, Linux.Encoder.1, and not Linux.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 MadmanRB

MadmanRB

    Spoon!!!!


  • Members
  • 2,893 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:No time for that when there is evil afoot!
  • Local time:02:30 PM

Posted 11 November 2015 - 09:22 AM

Well again there are coders on both sides, let these people try but now they are playing with a different kettle of fish.


You know you want me baby!

Proud Linux user and dual booter.

Proud Vivaldi user.

 

ljxaqg-6.png


#15 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,634 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 November 2015 - 09:33 AM

Either you didn't read what I said, or you just refuse it/avoid it for whatever reason there is. I'm telling you that what allowed Bitdefender to create a way to recover files for free was a flaw in the Cryptoware, not in Linux therefore if the Cryptoware author patches the malware correctly, the next wave will leave the victims with no free way to get their files back for free unless a new flaw is discovered that allows the decryption without paying the ransom.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users