Linux hit by crypto-ransomware - but attackers botch private key

[Gerowen]

Admins are facing a variant of Linux malware that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable.
The crypto-ransomware is aimed at Linux system administrators and demands exactly one Bitcoin to restore access to key files. One Bitcoin was worth about $420 last week but is currently $375.

According to Russian antivirus firm Dr Web, which labeled the ransomware Linux.Encode.1, the files it encrypts suggests the main target is website administrators whose machines have web servers deployed on them.

The malware first encrypts directories for home, root, MySQL, ngnix, and Apache and then moves on to encrypt files for web apps, backups, Git projects and numerous other files with specific extensions, such as .exe, .apk and .dll.

The files are encrypted with AES-128 while decryption requires a private RSA key, which the attackers claim they will provide after payment.

"Compromised files are appended by the malware with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a file with a ransom demand -- to have their files decrypted, the victim must pay a ransom in the Bitcoin electronic currency," Dr Web notes.

The company said previous attacks on web servers have exploited a recently-patched flaw in the Magento content-management system, so that could be how Linux machines are being infected.

At the end October, Magento warned users to install a bundle of patches, which included a fix for a remotely-exploitable bug that gave access to system files in some server configurations.

The company said it expected automated attacks on Magento installations following the publication of the issue by the security researcher who reported the bug.

Continue reading at the source: http://www.zdnet.com/article/crypto-ransomware-strikes-linux-but-attackers-botch-private-key/

Moral of the story, system administrators should keep on top of the latest security updates that affect their systems.

[Praetor]

or not view p0rn (or navigate at any website at all) in a web server...