New Ransomware Targets Linux Powered Websites

A new strain of ransomware targeting Linux-powered websites and servers is discovered in the wild and continues the trend and threat posed by any other ransomware – encrypt a victim’s information and data in exchange for a ransom fee.

Ransomware is among the most notorious and damaging strains of malware in recent times with the most destructive of them all – CryptoWall is estimated to have raked in over $300 million for
Laptop locked
its developers this year alone. Other ransomware related to the Angler Exploit Kit have been found to net over $30 million for the authors behind the malware.

The ransom is commonly sought in Bitcoin in exchange for a decryption key that promises to release all the held up documents, files and data infected by the ransomware. A recent report also confirmed the presence of the newest version of the CrytoWall family, with CryptoWall 4.0.

The latest release of the strain is even more damaging as it encrypts individual file names along with the data itself, making it harder to identify important files needing to be rescued. As things stand, there is no fix for CryptoWall 4.0. You’ve got to pay the ransom demand or hope that you’ve backed up all your files.

Now, ransomware scammers have stepped up a gear in infecting end-users by developing ransomware for websites and web servers. Quite simply, “Linux.Encoder.1,” as it is called by Russian security firm Dr.Web, targets websites to encrypt and lock down the web pages, files, images and content hosted on a website in exchange for ransom.


The ransomware, as discovered & named by Russian antivirus company Dr.Web and publicized by KrebOnSecurity is written in C using the PolarSSL library and requires the compromised user account of an administrator to inflict damage the way a ransomware usually does.

At the time of publishing, the ransomware scores a detection rate of just 9 out of 54 in Google’s VirusTotal, a free online service that serves as an aggregate of numerous antivirus engines and website scanners. In other words, the ransomware is a new threat, and the threat is indeed real.

Linux.Encoder.1 is typically injected onto websites powered by Linux through various plugins and third-party software which are notoriously vulnerable. When the malware claims a host machine, all files located in the “Home” directory of the system, along with backup directories are infected. So too are system folders that typically contain website content such as code, files, images, pages, libraries, and scripts.

An excerpt from Dr.Web’s analysis of the ransomware reads:

Once launched with administrator privileges, the Trojan loads into the memory of its process files containing cybercriminals’ demands:

./readme.crypto—file with demands,

./index.crypto—HTML file with demands.

Dr.Web notes the Trojan to encrypt files in the following directories:


As reported by Krebs, one ransomware victim spoke about being at the receiving end of a ransomware threat after his web server that hosted several websites was infected by the malware.

Daniel Macadar, a professional website designer who wasn’t up to his usual habit of backing up the sites and the server on time, was left with little choice when a ransom demand arrived in a plain text file called “instructions to decrypt,” a file that was found in every directory housing encrypted content.

The warning read:

To obtain the private key and PHP script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin (approx. $420 USD at the time of the demand). Without this key, you will never be able to get your original files back.

Madacar proceeded to pay the ransom demand and three hours the server was fully decrypted.

The web designer added that he sought the help of an independent security service to help secure his website and find the security hole that led to the Trojan malware. The vulnerability was found in an unpatched third-party software called Magento. More specifically, a shopping card software used by websites to handle payments. Although a patch was issued by Magento’s developers earlier this year to plug the vulnerability, Madacar’s website, much like many others were and are behind critical security updates.

As a general habit, it is good practice to unplug or disconnect your backups from the source as most ransomware proceeds to encrypted backed up files, as long as they’re connected and accessible.

Ultimately, the threat of ransomware is constantly evolving and destructive in its reach, with the ability to infect millions of computers around the world.

Images from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.