New Ransomware Targets Linux Web Servers Running Magento – Update

A new breed of ransomware has been discovered that targets web servers running Linux. In any case, the ransomware, called Linux.Encoder.1, exploits vulnerabilities in e-commerce software Magento, but other attack vectors are not excluded.

The ransomware was identified by Dr.Web late last week. When the ransomware accesses a system, it invades multiple folders with default names and encrypts their contents with aes-cbc-128. A readme_for_decrypt.txt file containing the ransom demand is then placed in each folder. The directories for MySQL servers and the web directories of Apache and Nginx web servers are among the targets. On the contrary, the operating system itself is left alone to give the administrator every opportunity to find the ransom demand.

According to Krebs on Security sources, the infection occurs through security holes in the e-commerce software Magento. The gap in that software was closed at the beginning of this year, but administrators are responsible for keeping the software up-to-date. However, it cannot be ruled out at this point that the ransomware only spreads through the hole in Magento and has no other attack vectors.

According to Krebs on Security sources, files are automatically decrypted by the ransomware when the ransom is paid, although there are very minor variations in files. At the time of writing, only 13 of the 54 antivirus services of Google’s Virustotal are able to catch Linux.Encoder.1.

Update, Tuesday, 09:55: BitDefender has now managed to find out how the ransomware generates its key. The company has published a script that allows users to easily retrieve this key and decrypt their files.

Image: Dr. Web