We wrote about Linux.Encoder.1, the first known Linux ransomware a week back. Luckily for those who are affected, BitDefender has published a Python script to unlock the encrypted files.
The trojan actually used the local system time to generate the AES key and it could be figured out from the timestamp of the local files. In other words, the timestamp is the seed used to generate the AES key.
If you are affected and you can boot the server, download the script directly on the server. Otherwise, use a live USB with any Linux flavour. You can use Ubuntu on a live distro for example to boot the system from a pen drive.
Steps to use the script:
- Extract the script:
$ unzip Decrypter_0-1.3.zip
- Create a temporary directory to mount the affected volume:
$ mkdir enc
- Mount the volume (say /dev/sda2) and move to it:
$ mount /dev/sda2 enc $ cd enc
- Get lit of encrypted files:
$ /path_to/sort_files.sh encrypted_partition > sorted_list
- Get the first file:
$ head -1 sorted_list
- Decrypt the file:
$ /path_to/decrypter.py -f file1
This will display the seed (timestamp)
- Decrypt all the other files using the seed:
$ /path_to/decrypter.py -s [time-stamp] -l sorted_list