Diving into Linux.Encoder’s predecessor: a tale of blind reverse engineering

Linux.Encoder.1 has earned a reputation as the world’s first ransomware family tailored for Linux platforms. After thwarting the massive ransomware infection with the release of a free decryption tool, Bitdefender researchers looked into a number of reports in which the tool was unable to decrypt the data.

A closer look revealed these files had been encrypted with an older variant of the Ransomware Trojan, which means hackers had been in the Linux ransomware business long before the discovery of Linux.Encoder.1.

We dubbed this “first draft” of this ransomware Trojan Linux.Encoder.0. However, lacking a sample file to analyze the way keys and IVs were generated, our decryption endeavors had to rely on diff-ing normal and encrypted files, blind reverse engineering and gut feelings. Our research into the way crypto was built into Linux.Encoder’s predecessor is documented in a paper (click for direct download) by Radu Caragea, Vulnerability Researcher and cryptography expert at Bitdefender..

More about the author

Radu Caragea is a Vulnerability Researcher from Bitdefender specializing in “unorthodox” methods of malware analysis and cryptography. His interests also include exploitation and virtual machine introspection.

He is a self-proclaimed “CTF maniac,” having founded and catalyzed the Hexcellents academic security research group in the Politehnica University of Bucharest, where he is pursuing an MSc in Computer & Network Security. He has lead the CTF team to win various national events, qualify for the Codegate Finals in Seoul, Korea in 2014, and score a spot within the top 40 teams worldwide in 2013. Recently, he has been playing for the PwnThyBytes team and carrying out his teaching duties as a trainer for the Romanian team in the European Cyber Security Challenge competition.