Ransomware has emerged as one of the catastrophic malware programs that lets hacker encrypts all the contents of a victim's hard drive or/and server and demands ransom (typically to be paid in Bitcoin) in exchange for a key to decrypt it. Since past few years,has emerged as one of the catastrophic malware programs that lets hacker encrypts all the contents of a victim's hard drive or/and server and demands ransom (typically to be paid in) in exchange for a key to decrypt it.





Until now cyber criminals were targeting computers, smartphones and tablets, but now it appears they are creating ransomware that makes the same impact but for Web Sites – specifically holding files, pages and images of the target website for Ransom.





Dubbed Linux.Encoder.1 by Russian antivirus firm Dr.Web, the new strain of ransomware targets Linux-powered websites and servers by encrypting MySQL, Apache, and home/root folders associated with the target site and asking for 1 Bitcoin (~ $300) to decrypt the files.

The ransomware threat is delivered to the target website through known vulnerabilities in website plugins or third-party software.

Home directories on the system as well as Backup directories and the System Folders associated with Web site files, pages, images, code libraries and scripts. Once infected, the Linux.Encoder.1 malware encrypts all files in thedirectories on the system as well asdirectories and theassociated with Web site files, pages, images, code libraries and scripts.





Ransomware Uses AES Encryption





According to the security researchers, the ransomware in question needs root privileges to work. Additionally, when it launches, the malware starts downloading:

The Ransom Message containing the demands of fraudsters

containing the demands of fraudsters A file containing the public RSA key

After that, the Ransomware starts as a daemon and deletes all of the original files. The RSA key is then used to store AES keys that are used by the ransomware to encrypt the local files on the infected computer.





The ransomware also adds the .encrypt extension to each file it encrypts and writes a ransom text message in every folder.

Targeting Linux-Powered Websites and Servers

The malware specifically encrypts files in folders that are typically found in Linux Web server setups, including directories like home, root, MySQL, Apache, and any directory that includes terms such as git, svn, webapp, www, public_html, or backup.





Moreover, the ransomware looks for files that have extensions specific to Web development environments including .js, .css, .properties, .xml, .ruby, .php, .html, .gz, and .asp, as well as other file extensions like .rar, .7z, .xls, .pdf, .doc, .avi, .mov, .png, and .jpg.





Once the victim pays the ransom amount, the system receives a signal to pass over the directories again to decrypt the files.



