Linux.Encoder

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Linux.Encoder" – news · newspapers · books · scholar · JSTOR (November 2015) (Learn how and when to remove this message)

Linux.Encoder.1 is considered as the first Ransomware Trojan targeting computers running Linux.^[1] Discovered on November 6, 2015, by Dr. Web, this malware affected more than 2,000 Linux users. ^[2]

Linux.Encoder.1 is remotely executed on the victim's computer by using a flaw in Magento, a popular Content_management_system app. When activated, the malware encrypts certain types of files stored on local and mounted network drives using AES and RSA Public-key_cryptography, with the private key stored only on the malware's control servers. The malware then store a file called "readme_to_decrypt.txt" in every folder. The message which offers to decrypt the data if a payment (through Bitcoin) is made.^[3] Compared to other ransomware such as CryptoLocker, the malware does not state a deadline to pay and the ransom does not increase over time.

On November 5, 2015, Dr. Web, a Russian anti-malware company added to its virus database Linux.Encoder.1. The company then published the malware description the day after. This ransomware is written in C using the PolarSSL library. ^[4]

According to Bitdefender Labs, the most common infection vector is though a flaw in Magento, a shopping cart software. CheckPoint, reported this vulnerability in April 2015.^[5] After this report, Magento issued a fix. However, a lot of small ecommerce site did not apply this critical update.^[6] Linux host might also be attacked using other exploits.

This malware-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e