SHA1:
- a5054babc853ec280f70a06cb090e05259ca1aa7 (x64, UPX)
- 98e057a4755e89fbfda043eaca1ab072674a3154 (x64, unpacked)
- 810806c3967e03f2fa2b9223d24ee0e3d42209d3 (x64, FreeBSD)
- 12df5d886d43236582b57d036f84f078c15a14b0 (x86, UPX)
- 5bd6b41aa29bd5ea1424a31dadd7c1cfb3e09616 (x86, unpacked)
Encryption ransomware for Linux written in C using the PolarSSL library.
Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals' demands:
- ./readme.crypto—file with demands,
- ./index.crypto—HTML file with demands.
As an argument, the Trojan receives the path to the file containing a public RSA key.
Once the files are read, the malicious program starts as a daemon and deletes its original files.
First, the Trojan encrypts files in the following directories:
/home
/root
/var/lib/mysql
/var/www
/etc/nginx
/etc/apache2
/var/logAfter that, Linux.Encoder.1 encrypts all files in home directories. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files from directories whose names start with one of the following strings:
public_html
www
webapp
backup
.git
.svnAt that, the Trojan encrypts only files with the following extensions:
".php", ".html", ".tar", ".gz", ".sql", ".js", ".css", ".txt" ".pdf", ".tgz", ".war", ".jar", ".java", ".class", ".ruby", ".rar" ".zip", ".db", ".7z", ".doc", ".pdf", ".xls", ".properties", ".xml" ".jpg", ".jpeg", ".png", ".gif", ".mov", ".avi", ".wmv", ".mp3" ".mp4", ".wma", ".aac", ".wav", ".pem", ".pub", ".docx", ".apk" ".exe", ".dll", ".tpl", ".psd", ".asp", ".phtml", ".aspx", ".csv"
The Trojan does not encrypt files in the following directories:
/
/root/.ssh
/usr/bin
/bin
/etc/sshTo encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand.
If decryption is initiated, Linux.Encoder.1 will use a private RSA key to retrieve AES keys from encrypted files, traverse directories in the same order as when they were encrypted, and delete README_FOR_DECRYPT.txt files trying to decrypt all files with the .ecnrypted extension.
Doctor Web security researchers have developed a decryption technique that may help restore files encrypted by this malicious program.
