Decryption Tool Foils Linux Server Ransomware Attacks

Bitdefender on Monday released a free decryption tool designed to wrest data from the grip of a rare type of ransomware that’s been plaguing Linux servers.

Details for performing the decryption are available on the company’s website.

Essentially, the solution takes advantage of a flaw in the ransomware, which Bitdefender discovered through reverse-engineering.

The ransomware attacks came to light last week, when Dr.Web reported that extortionists have been exploiting vulnerabilities in software running on Linux servers to gain administrative privileges.

They then plant the malware, Linux.Encoder.1, on the systems, according to Dr.Web.

Once on a system, the malware downloads its ransomware files and a file with a link to a public encryption key. That key is used to store more keys that are used to encrypt important files on the server.

After finishing its work, the malware will demand payment of a ransom in order to decrypt the files and get the server back online. Ransoms are typically one or two bitcoins, or US$380 to $760, according to today’s exchange rate.

Those payments need not be made, however, according to Bitdefender, as victims can use its decryption tool to reclaim their data.

Ransomware Escalation

However, for targets unaware of the solution, the ransomware can still take its toll.

The ransomware works in situations where “a Web server or a Linux host has some kind of vulnerability that allows a user to put this piece of malware on them,” said Wayne Crowder, director of threat intelligence atRiskAnalytics.

“There are vulnerabilities in older software for payment processing or content management. They can get in through that and obtain the credentials to pull down the malware and run it,” he told LinuxInsider.

“There have to be bigger problems on a website before this can happen,” Crowder added. “They have to have things that aren’t implemented properly, and they have to have some type of vulnerability.”

Although there’s been an epidemic of ransomware on Windows PCs, this is the first major outbreak on Linux servers.

“This iteration of ransomware targeting Linux servers is an escalation,” said Paul Ferguson, a senior threat research advisor atTrend Micro.

“It’s almost a natural progression,” he told LinuxInsider.

Safety in Good Hygiene

While administrators need to stay on their toes to prevent their systems from being victimized by the ransomware, consumers largely will be unaffected by it.

“The average consumer won’t be hit by this, unless there is a particular website they rely on heavily on a daily basis that gets hit with this stuff,” Ferguson said.

Administrators who engage in good security hygiene will be in a better position to foil the ransomware than those who don’t.

“It’s not glamorous, but you need to do the basic blocking and tackling — patch your systems and other good hygiene, ” RiskAnalytics CEO Jeff Stull said.

“Since the Trojan goes through and encrypts only certain directories and the file extensions generally associated with websites, daily backups is a pretty good potential remedy here,” said Vann Abernethy, a product manager atNSFocus.

Because the ransomware attack exploits either a website or third-party software vulnerability, “this is just another reason for Web administrators to employ some sort of Web application firewall, engage third-party vulnerability scanning, and require that any third-party software providers supply evidence that they follow sound application security practices, such as Veracode certification,” he told LinuxInsider.

Pay or Not?

Administrators should alert law enforcement if their sites get infected with the ransomware, Trend Micro’s Ferguson recommended.

“If you do get hit, make sure you reach out to the IC3 website that the FBI runs for reporting incidents so it can start getting an idea of the impact of this stuff and can start quantifying losses,” he said. “Department of Justice attorneys usually get motivated when they can quantify losses to businesses.”

If a site does get infected, the $380 or $760 question is, should it pay the ransom?

“Paying ransoms makes the business model for the criminals work,” Simon Crosby, CTO ofBromium, told LinuxInsider.

“Collectively, we’re all worse off when people pay these ransoms,” RiskAnalytics’ Stull told LinuxInsider. “It’s the same reason the United States says it doesn’t negotiate with terrorists. Once you start down that slippery slope, it’s going to continue.”

In the case of Linux.Encoder.1, given the availability of the Bitdefender decryption tool, there appears to be no need for anyone to capitulate to the ransom demands.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by John P. Mello Jr.
More in Enterprise

LinuxInsider Channels