Since past few years, Ransomware has emerged as one of the catastrophic malware programs that lets hacker encrypts all the contents of a victim’s hard drive or/and server and demands ransom (typically to be paid in Bitcoin) in exchange for a key to decrypt it.
Until now cyber criminals were targeting computers, smartphones and tablets, but now it appears they are creating ransomware that makes the same impact but for Web Sites – specifically holding files, pages and images of the target website for Ransom.
Dubbed Linux.Encoder.1 by Russian antivirus firm Dr.Web, the new strain of ransomware targets Linux-powered websites and servers by encrypting MySQL, Apache, and home/root folders associated with the target site and asking for 1 Bitcoin (~ $300) to decrypt the files.
The ransomware threat is delivered to the target website through known vulnerabilities in website plugins or third-party software.
Must Read: FBI Suggests Ransomware Victims — ‘Just Pay the Ransom Money’.
Once infected, the Linux.Encoder.1 malware encrypts all files in the Home directories on the system as well as Backup directories and the System Folders associated with Web site files, pages, images, code libraries and scripts.
Ransomware Uses AES Encryption
According to the security researchers, the ransomware in question needs root privileges to work. Additionally, when it launches, the malware starts downloading:
- The Ransom Message containing the demands of fraudsters
- A file containing the public RSA key
After that, the Ransomware starts as a daemon and deletes all of the original files. The RSA key is then used to store AES keys that are used by the ransomware to encrypt the local files on the infected computer.
The ransomware also adds the .encrypt extension to each file it encrypts and writes a ransom text message in every folder.
Also Read: FBI Offers $3 Million Reward For Arrest Of Russian Hacker behind CryptoLocker Ransomware.
Targeting Linux-Powered Websites and Servers
The malware specifically encrypts files in folders that are typically found in Linux Web server setups, including directories like home, root, MySQL, Apache, and any directory that includes terms such as git, svn, webapp, www, public_html, or backup.
Moreover, the ransomware looks for files that have extensions specific to Web development environments including .js, .css, .properties, .xml, .ruby, .php, .html, .gz, and .asp, as well as other file extensions like .rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, and .jpg.
Once the victim pays the ransom amount, the system receives a signal to pass over the directories again to decrypt the files.
Until security researchers create a decryption program, they recommend webmasters to backup all important data and keep all their files in place in case they are targeted.