Originally uncovered by an antivirus and research company, DrWeb, they stated, [Linux.Encoder 1] “The Linux ransomware is written in C and leverages the PolarSSL library, it launches itself as a daemon that encrypt data and deletes the original files from the system.” The goal of the malicious software is to create an attack against those with the most power over a website, breaching the folders and files that are critical for operation and encrypting those that have specific association with the control factor. While the initial attack group for the Linux.Encoder 1 ransomware was fairly small, the number of those infected has grown almost exponentially.
The cybercriminals that designed the ransomware does not actually affect Linux, instead, it takes advantage of the little known security loophole in the platform for Magento e-commerce. The last Magento patch was released Feb. 9, 2015 and they assume that most have not added the patch, which included a fix for the loophole. All those that did download the patch will be fine and only those that avoided the upgrade are at risk.
A user will know that their system has been breached when they receive the traditional ‘ransomware screen’ announcing the attack and the usual readme file that contains all of the instructions for Bitcoin payment. As with all ransomware, there is a time limit on payment.
“Maintaining updated security protocols, software and patches are part of the priority guidelines that DaVinci Forensics uses in working with clients to ensure system safety. We know that cybercriminals will seek out any weak areas that may exist in a network and exploit them with the creation of malicious software. Our goal is to coordinate efforts through education to assist in protection against breaches, loss of proprietary information and ransomware attacks.” Sharon Knowles, CEO of DaVinci Forensics
The main problem with Linux.Encoder 1 is that once it has infected the administrator system there are only two choices involved:
1} Pay the ransomware demand, knowing that there is a chance that they will not receive an de-encryption key (reported to be around $380 on average) or
2} Invest in a professional company to come in and spend an intense amount of time to repair and fix the system so that it can be returned to a normal state.
The later can be an expense that was not considered as the method that this virus uses is a variation in the way it changes ownership as well as file names. Anyone that has suffered from an attack of the Linux.Encoder 1 should not attempt to repair or fix anything on their own. Even the most adept internal technician can cause irreparable damage.
***Sources***
http://techcrunch.com/2015/11/06/linux-ransomware-is-now-attacking-webmasters/ http://securityaffairs.co/wordpress/41787/cyber-crime/linux-ransomware.html
