Posted on 11/12/2015 12:01:16 PM PST by ShadowAce
Ransomware targeting Linux servers has been thwarted by hard working security boffins, with help from the software itself, mere days after its existence was made public.
The Linux.Encoder.1 ransomware seeks Linux systems to encrypt and like others of its ilk demands owners pay BitCoins to have files decrypted.
But the first iteration of the malware has, like most betas, proven fallible.
Not only can it be decrypted using scripts without the need for ransoms to be paid, but it can re-encrypt itself, corrupting files and even encrypting the ransom note that directs victims how to pay the extortion.
Bitdefender security wonks report both failures, including the flaw in Linux.Encoder's local encryption key generation that allowed it to be removed and files decrypted.
"We looked into the way the (AES) key and initialisation vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab," crypto geek Radu Caragea says.
"The tool determines the initialisation vector and the encryption key simply by analysing the file, then performs the decryption, followed by permission fixing.
"If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay."
The secure random keys and initialisation vectors generate information from the libc rand() function, and are seeded with the current system timestamp at the point of encryption.
"This information can be easily retrieved by looking at the file’s timestamp [and] is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the" attacker's key, he says.
Caragea says BitDefender's tool (available for free on its site) may not work for those Linux admins who have been infected with multiple instances of the Linux ransomware.
This is because files are encrypted using different keys which generates a race condition that truncates some file contents to zero.
The obliteration of Linux.Encoder.1 comes days after BitDefender released a preventative tool that would prevent the reigning ransomware kings Cryptowall and CTB Locker from executing on victim systems. It does so by preventing executables running from the Windows AppData and Startup folders
Those ransomware variants including the fourth iteration of Cryptowall also released this week are well built and do not contain publicly-known encryption implementation flaws that could allow files to be decrypted without payment. ®
How many bit coins to decrypt just 1 megabyte? (Chris Rock voice)
Not only can it be decrypted using scripts without the need for ransoms to be paid, ...
There is another short skit though where Chris Rock says “How much for one rib?” it’s based on the same joke lines as in the movie.
This may be the skit: https://www.youtube.com/watch?v=1JhmjqGuytk
You got change for $100?
Why can’t the bank account of the extortionist be traced?
There is no bank account for bitcoin
But there’s an owner, right? The bitcoin payments go somewhere, to someone. Some account.
It's all a big, non-centralized, encrypted database hosted on every bitcoin owner's computer.
If I was running the show, the perpetrators of ransomeware would be given the death penalty, which would involve live burning at the stake on the Washington Mall, with live video being broadcast around the world. After the second round of burnings, I think ransomeware would be a thing of the past.
You are far too merciful!
Bitcoin exists in the form of a shared ledger in which all transactions are recorded and freely viewable by anyone. (Just check out blockchain.info for example)
The catch is that nothing inherently links a given public key (used to send bitcoins to a given account) to a real-world individual. With a lot of detective work I expect most criminals trying to use bitcoin will eventually be caught, but it will take time. Criminals are having a hard time over the long run keeping their bitcoin activities secret, since even one slipup that connects a bitcoin transaction to an identifiable source gives law enforcement a solid lead to follow.
Current price of a bitcoin is ~$330 at the moment, BTW. That’s in the same ballpark as typical ransom demands. I really hope some solid countermeasures can be taken against ransomware as it makes people hate the method of payment (bitcoin), prejudicing them against a revolutionary advance in finance.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.