ransomware virus on Linux

Polytropon freebsd at edvax.de
Thu Nov 19 07:04:18 UTC 2015

On Thu, 19 Nov 2015 07:44:34 +0100, Matthias Apitz wrote:
> Hello,
> I've read in the German computer magazine "iX 12/2015" about a threat
> against Linux: Some ransomware malware encrypts your disk and the bad guys aking
> for your money to get it decrypted again.

The FBI recommends you simply pay:


Things can be so easy if you listen to the authorities and then
hand the costs over to your loyal customers who believe in your
expertness and professionalism. ;-)

> All details about this story
> and how to get it decrypted again w/o spending money is here:
> http://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

In addition:



> Two questions remain:
> The structure of the attack makes me think that it would work the same way on
> FreeBSD too.

As far as I understand: Yes, that would be possible (given that
the FreeBSD installation is much like the Linux installations
affected in terms of software versions in use).

> Do we have already known attacks like this?

Maybe those running a significant attack surface (i. e., old and
unpatched version of Magento, as the article you pointed to states),
could provide more information:

	Linux.Encoder.1 is executed on the victim's Linux box
	after remote attackers leverage a flaw in the popular
	Magento content management system app.

Proper settings of (write) privilege, account separation, the use
of jails will probably make this harder to spread across a whole
system. The article mentions a few things to pay attention to.

> If we would have a known attack and test data from this (i.e. an
> encrypted file system tree), I think it would be worth to check if the
> software described by Bitdefender could be ported to FreeBSD too.

It would be interesting to see if the Linux version would work
on FreeBSD (via Linux ABI), because the file system access at
this point is still "abstracted" to the running program.

Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...

More information about the freebsd-questions mailing list