Linux encryption ransomware hacked – how to get your files back
The ransomware trojan Linux.Encoder.1 has been defeated, thanks to a critical flaw in the way it encrypts files.
Bitdefender Labs said it found a way to recover the AES key the malware uses to encrypt the files on the Linux servers it targets.
It said the AES key is generated on the victim’s computer, and after reverse-engineering how the key and initialisation vector are generated, researchers discovered a design flaw.
The Linux.Enocder.1 sample derived the key and initialisation vector using the rand() function from the standard C library, seeded with the current system timestamp at the moment of encryption.
This information can be retrieved by looking at the file’s timestamp.
It released the following guide on how to get your data back.
Recovering your server from a Linux.Encoder.1 infection
- Download the script from the Bitdefender Labs repository.
The chances are that the encryption has affected system files, and you might need to boot from a live CD or mount the affected partition on a different machine.
- Mount the encrypted partition using the
mount /dev/[encrypted_partition] - Generate a list of encrypted files by issuing the following command:
/mnt# sort_files.sh encrypted_partition > sorted_list - Issue a head command to get the first file:
/mnt# head –1 sorted_list - Run the decryption utility to get the encryption seed:
/mnt# python decrypter.py –f [first_file] - Decrypt everything using the displayed seed:
/mnt# python /tmp/new/decrypter.py -s [timestamp] -l sorted_list
Some machines double-infected
Bitdefender said it received complaints that its recovery tool was not working for everyone.
It found that some machines were infected with Linux.Encoder.1 more than once, suggesting that the trojan was executed multiple times.
This means that some files were encrypted using a key, and others using another set of keys. In doing so, a race condition is created that destroys some files.
It updated its tool to take this evolution of the ransomware into account, and released a new version of the script for download on its website.
More security news
New encryption ransomware targets Linux servers
Your online porn history with your name leaked online: experts comment
Fingerprints should never be used as passwords
New Android adware is almost impossible to get rid of
Loading ...