Unlock Linux.Encoder.1 encrypted files

medical_compWe wrote about Linux.Encoder.1, the first known Linux ransomware a week back. Luckily for those who are affected, BitDefender has published a Python script to unlock the encrypted files.

The trojan actually used the local system time to generate the AES key and it could be figured out from the timestamp of the local files. In other words, the timestamp is the seed used to generate the AES key.

If you are affected and you can boot the server, download the script directly on the server. Otherwise, use a live USB with any Linux flavour. You can use Ubuntu on a live distro for example to boot the system from a pen drive.

Steps to use the script:

  1. Extract the script:
    $ unzip Decrypter_0-1.3.zip
  2. Create a temporary directory to mount the affected volume:
    $ mkdir enc
  3. Mount the volume (say /dev/sda2) and move to it:
    $ mount /dev/sda2 enc
    $ cd enc
  4. Get lit of encrypted files:
    $ /path_to/sort_files.sh encrypted_partition > sorted_list
  5. Get the first file:
    $ head -1 sorted_list
  6. Decrypt the file:
    $ /path_to/decrypter.py -f file1

    This will display the seed (timestamp)

  7. Decrypt all the other files using the seed:
    $ /path_to/decrypter.py -s [time-stamp] -l sorted_list

Source

 

Comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s