A new piece of ransomware dubbed Linux.Encoder.1 has been discovered that targets Linux servers. Researchers have found that the virus only encrypts files that are related to Web hosting, Web servers, MySQL, Subversion, Git, and other software packages used in Web development and Web servers.

The virus is known to encrypt the following directories:


Researchers have also found that the virus only encrypts files with the following extensions:

“.php”, “.html”, “.tar”, “.gz”, “.sql”, “.js”, “.css”, “.txt” “.pdf”, “.tgz”, “.war”, “.jar”, “.java”, “.class”, “.ruby”, “.rar” “.zip”, “.db”, “.7z”, “.doc”, “.pdf”, “.xls”, “.properties”, “.xml” “.jpg”, “.jpeg”, “.png”, “.gif”, “.mov”, “.avi”, “.wmv”, “.mp3” “.mp4”, “.wma”, “.aac”, “.wav”, “.pem”, “.pub”, “.docx”, “.apk” “.exe”, “.dll”, “.tpl”, “.psd”, “.asp”, “.phtml”, “.aspx”, “.csv”

Linux-Encoder-1Just like its Windows cousin CryptoWall, any directory that has been encrypted or at least contains one encrypted file will have a file title README_FOR_DECRYPT.txt file with a ransom demand. It has been reported that, even though the virus primarily targets business environments, the ransomware only asks for 1 Bitcoin, a fairly low amount compared to other ransomware. At the time of this post, 1 Bitcoin is worth approximately $325.

Thankfully Linux.Encoder.1 is not as sophisticated as its Windows counterpart. Researchers at Bitdefender discovered a critical flaw in how the ransomware creates its encryption key while performing tests in their lab and have already released a free tool that will automatically decrypt any files on a victim’s system that were targeted.

Even though a flaw was discovered within Linux.Encoder.1, the next variant of it will most likely be patched and encrypted files will not be as easily recovered. With this in mind, powersolution.com recommends that any Organization running Linux machines install a security product, roll out patches and updates as soon as they become available, and keep regular backups of their data just in case they should find themselves a victim of ransomware like Linux.Encoder.1.