One of the most malicious and effective forms of malware, Ransomware, appears to have taken the next evolutionary step and has now been found embedded in websites.
This latest incantation, labelled Linux.Encoder.1 by Russian security firm Dr.Web, targets sites powered by the Linux operating system.
Romanian-based security vendor, Bitdefender, said in a blog post that Linux.Encoder.1 is executed on the victim’s Linux box after remote attackers leverage a flaw in the popular Magento content management system app, a client for ecommerce payments.
“Just like Windows-based ransomware, it encrypts the contents of these files using AES (a symmetric key encryption algorithm), which provides enough strength and speed while keeping system resources usage to a minimum,” the company said.
The vulnerability in Magneto was identified by security firm CheckPoint in April 2015 and Magneto released a patch soon after. The recent infections have been attributed to unpatched systems still susceptible to infection.
The main issue for attackers and saviour for some victims with this new form of ransomware, called Cryptowall 4.0, is the way it encrypts files. Bitdefender said its research teams had discovered that instead of generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption.
“This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s).”