Linux users targeted by new Linux.Encoder.1 encryption ransomware
Extortion is just the latest in a series of weapons being used to terrorize computer users and technology companies. One of the most recent victims was ProtonMail which found itself the subject of a DDoS attack and a ransom demand -- and despite paying up, the attacks continued. But individual users also have their feet held in the fire by ransomware.
It's something that mobile users have become familiar with. Android users have been hit by malware that encrypts the contents of their phones and renders it inaccessible until a ransom is paid. It's a problem that has also affected Windows users, and the latest target is Linux. Web servers powered by Linux are being targeted by the Linux.Encoder.1 crypto-ransomware.
Server contents are encrypted, with virus writers exploiting a vulnerability in the Magent CMS, warns anti-virus company Dr Web. Once installed, the Trojan uses an RSA key to encrypt files before deleting the originals. Linux.Encoder.1 targets files in numerous directories including /home and /root.
Dr Web says:
First, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.
Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand -- to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency.
The company provides more details of the activities of Linux.Encoder.1 in its database, and advises contacting technical support rather than trying to remedy the problem manually.