1 min read

Diving into Linux.Encoder’s predecessor: a tale of blind reverse engineering

Bogdan BOTEZATU

November 18, 2015

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Diving into Linux.Encoder’s predecessor: a tale of blind reverse engineering

Linux.Encoder.1 has earned a reputation as the world’s first ransomware family tailored for Linux platforms. After thwarting the massive ransomware infection with the release of a free decryption tool, Bitdefender researchers looked into a number of reports in which the tool was unable to decrypt the data.

A closer look revealed these files had been encrypted with an older variant of the Ransomware Trojan, which means hackers had been in the Linux ransomware business long before the discovery of Linux.Encoder.1.

We dubbed this “first draft” of this ransomware Trojan Linux.Encoder.0. However, lacking a sample file to analyze the way keys and IVs were generated, our decryption endeavors had to rely on diff-ing normal and encrypted files, blind reverse engineering and gut feelings. Our research into the way crypto was built into Linux.Encoder’s predecessor is documented in a paper (click for direct download) by Radu Caragea, Vulnerability Researcher and cryptography expert at Bitdefender..

More about the author

Radu Caragea is a Vulnerability Researcher from Bitdefender specializing in “unorthodox” methods of malware analysis and cryptography. His interests also include exploitation and virtual machine introspection.

He is a self-proclaimed “CTF maniac,” having founded and catalyzed the Hexcellents academic security research group in the Politehnica University of Bucharest, where he is pursuing an MSc in Computer & Network Security. He has lead the CTF team to win various national events, qualify for the Codegate Finals in Seoul, Korea in 2014, and score a spot within the top 40 teams worldwide in 2013. Recently, he has been playing for the PwnThyBytes team and carrying out his teaching duties as a trainer for the Romanian team in the European Cyber Security Challenge competition.

tags


Author



Right now

Top posts

Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read