Ransomware Found Targeting Linux Servers and Coding Repositories

[Karamjit]

Malware operators are taking aim and Web developers

A newly discovered ransomware is attacking Linux Web servers, taking aim at Web development environments used to host websites or code repositories.

Russian antivirus maker Dr.Web came across this malware and said that the ransomware needs root privileges to work. Additionally, the company also said it does not yet know how the ransomware infects computers, but taking into account previous Linux-based malware infections, the main culprit may by an open SSH port with weak credentials (not confirmed).

The ransomware uses AES encryption to lock down files

As for its modus operandi, when the ransomware launches, it starts to download the ransom message, and then a file containing the public RSA key. The latter key is then used to store AES keys used to encrypt the local files.

When this happens, the ransomware adds the .encrypt extension to each file, and places a ransom text message in each folder where it encrypts data.

The ransomware has a taste for Web pages and their associated file extension

The malware specifically targets files in folders that are generally found in Linux Web server setups, or in coding and development environments.

This includes directories like /home, /root, /var/lib/mysql, /var/www, /etc/nginx, /etc/apache2, /var/log, and any directory that includes terms like git, svn, webapp, www, public_html, or backup. The ransomware also looks for files that have extensions specific to Web devolopment environments like .js, .css, .properties, .xml, .ruby, .php, .html, .gz, .asp, and such. Other file extensions known to host data are also covered (.rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, .jpg, etc.).

Dr.Web detects the ransomware as Linux.Encoder.1. After careful analysis, the company said that Linux.Encoder.1 is coded in C and also uses the PolarSSL library.

Below is an image of the ransom note presented to victims. The ransom is for 1 Bitcoin ($300-$400) only, which is below the average of 2-4 Bitcoin which most ransomware operators ask.

From

[steven36]

Researchers at Russian antivirus company Doctor Web have come across a new file-encrypting ransomware that appears to be targeting machines running Linux operating systems.

The security firm believes tens of users have already fallen victim to the threat, which seems to be mainly aimed at webmasters whose machines host web servers.

Source

 http://www.securityweek.com/file-encrypting-ransomware-targets-linux-users

10s ? Lol whats 10s . Most liunx servers are ran by windows users that don't know much about it no way . Most people on Linux don't even have and AV and only 10 or 20 people were infected ?

Something like this happened on windows millions would have got infected even running Anti-malware programs. :lol:

It was so bad on Windows the police had to give Kaspersky the keys to unlock it . they never did decrypt it .