Linux ransomware

From ICO wiki
Revision as of 19:34, 9 June 2017 by Fislam (talk | contribs) (encryption)
Jump to navigationJump to search

Written by: Farhan Islam-C11 Group

Ransomware in Linux

What is Ransomware?

Ransomware is a very dangerous malware. It restricts users from accessing their system by either locking the system's screen or locking the user's files till the random is paid. Modern day ransomwares are categorized as Crypto Ransomware, which works by encrypting certain files and forces the user to pay online usually using a crypto currency. After the ransom is paid, the user gets a decryption key, and is able to use that to unlock the system.

How Linux Ransomware Works

The existence of linux ransomwares weren't discovered until a couple of years ago. Dr.Web Antivirus detected a certain ransomware that attacked linux based systems. This ransomware was known as Linux.Encoder.1. This ransomware didn't just target any file/folder, it targeted the files & folders associated with the web server, this is usually wherever the document root of the web server is located, but it is not limited to it.The ransomware gets root access to system, and it downloads the files with the hackers demands along with a file that has a path to a public RSA (encryption algortighm) key. After that the malicious program starts as a daemon and deletes the original files. Afterwards, the RSA key is used to store AES (Advanced Encryption Standard) keys, which is used by the malicious program to encrypt files on the infected computer.The Linux.Encoder.1 starts by encrypting all the directories in the web server root. The hackers usually specify a string name for file extensions, or a pattern. The ransomware only encrypts the files that meet that criteria. Some common file extensions that are encrypted include .tar.gz , .jpg, .apk, .pub, .mp4, .html . The following directories are commonly encrypted /home, /root, /var/lib/mysql, /etc/nginx, /var/www. The following are not encrypted ./, ssh, /usr/bin, /bin, /etc/ssh