Web Stores Held Hostage

Last week has seen an explosion of e-commerce sites infected with the Linux.Encoder.1 ransomware. For those not familiar with the term, ransomware is a particularly vicious type of malware that aims to extort money from the owners of compromised systems.

In the case of Linux.Encorder.1, the malware attacks vital files on a web server, encrypting them so they cannot be opened by the administrator or applications. The files are encrypted using a secret key, so it's impossible to decrypt them. This effectively shuts down the server and takes the site offline.

Linux.Encorder.1 leaves behind text files that tell the admin how to return the system to working order - by paying untraceable bitcoins to the malware author.

With thousands of systems compromised, there has been a lot of resentment about Linux security from store owners. But, despite the name of the malware, Linux is innocent! The security hole is actually in Magento, an extremely popular e-commerce application.

Magento's developers are aware of the problem - in fact, they patched it way back in October 2014. The fact that so many sites have recently been infected shows that many store owners have not updated their Magento installation.

Of course, simply pointing out that it's their own fault does little to console people who have been put out of business by these extortionists. It's understandable that many site owners have given in and paid the ransom (which is 1 bitcoin, worth more than $300).

And this brings us to the cruelest twist in the story. The script that the ransomers send to their victims should decrypt the files and return the system to working order, but it doesn't. It contains bugs that insert random characters into the decrypted files, rendering them useless.

So, if you can't restore your system by cooperating with the criminals, how can you recover from the infection? Happily, there is a way to recover.

You see, Linux.Encorder.1 contains a vital flaw that makes it easy for security professionals to discover the secret encryption key. The key is "randomly" generated using the system time as the seed.

That means that if you know the exact moment when the file was encrypted, you can generate the key. Fortunately, Linux stores this metadata for every file on the system.

It is possible to manually fix your system if you are familiar with the command line. Security firm Bitdefender provides instructions along with a utility to help you restore your files at http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/.

Finally, once your site is working again, don't forget to patch Magento. Otherwise, your system could get reinfected!