Anti-Malware Research

Diving into Linux.Encoder’s predecessor: a tale of blind reverse engineering

Linux.Encoder.1 has earned a reputation as the world’s first ransomware family tailored for Linux platforms. After thwarting the massive ransomware infection with the release of a free decryption tool, Bitdefender researchers looked into a number of reports in which the tool was unable to decrypt the data.

A closer look revealed these files had been encrypted with an older variant of the Ransomware Trojan, which means hackers had been in the Linux ransomware business long before the discovery of Linux.Encoder.1.

We dubbed this “first draft” of this ransomware Trojan Linux.Encoder.0. However, lacking a sample file to analyze the way keys and IVs were generated, our decryption endeavors had to rely on diff-ing normal and encrypted files, blind reverse engineering and gut feelings. Our research into the way crypto was built into Linux.Encoder’s predecessor is documented in a paper (click for direct download) by Radu Caragea, Vulnerability Researcher and cryptography expert at Bitdefender..

More about the author

Radu Caragea is a Vulnerability Researcher from Bitdefender specializing in “unorthodox” methods of malware analysis and cryptography. His interests also include exploitation and virtual machine introspection.

He is a self-proclaimed “CTF maniac,” having founded and catalyzed the Hexcellents academic security research group in the Politehnica University of Bucharest, where he is pursuing an MSc in Computer & Network Security. He has lead the CTF team to win various national events, qualify for the Codegate Finals in Seoul, Korea in 2014, and score a spot within the top 40 teams worldwide in 2013. Recently, he has been playing for the PwnThyBytes team and carrying out his teaching duties as a trainer for the Romanian team in the European Cyber Security Challenge competition.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.