Linux Ransomware Debut Fails on Predictable Encryption Key

No need to crack RSA when you can guess the key

—————————–

Update: There have been some developments regarding this ransomware. It was brought to our attention that the decryption tool was not working on particular cases. Upon investigation we were surprised to find out that some victims were infected more than one time (the ransomware was accidentally started more than once).


This means that some files were encrypted using a key, and others using another set of keys. However, in so doing, the race condition generated leads to some files getting irreparably damaged (their content is truncated to zero). And in some cases even the ransom notes became encrypted!

We updated the decryption utility and the README. Please read it for the new instructions.

/update

File-encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time until the advent of the first piece targeting Linux. Dubbed Linux.Encoder.1, this first piece of Linux ransomware is extremely similar in behavior to CryptoWall, TorLocker and other notorious ransomware families for Windows.

How does it work?

Linux.Encoder.1 is executed on the victim’s Linux box after remote attackers leverage a flaw in the popular Magento content management system app. Once executed, the Trojan looks for the /home, /root and /var/lib/mysql folders and starts encrypting their contents. Just like Windows-based ransomware, it encrypts the contents of these files using AES (a symmetric key encryption algorithm), which provides enough strength and speed while keeping system resources usage to a minimum. The symmetric key is then encrypted with an asymmetric encryption algorithm (RSA) and is prepended to the file, along with the initialization vector used by AES.

Once the files have been encrypted, the Trojan attempts to also encrypt the contents of the root (/), skipping only critical system files, so the operating system will be able to boot up again.

At this point, it would be safe to assume that users can’t get their data back unless they pay the operators a fee in exchange for the RSA private key to decrypt the AES symmetric one. However, a major flaw in the way the Encoder Trojan is designed allowed Bitdefender researchers to recover the AES key without having to decrypt it with the RSA private key.

A primer on encryption

Throughout 2015, most crypto-ransomware Trojans have used mixed encryption algorithms to hold valuable information hostage. To rapidly and effectively encrypt large amounts of data, crypto-ransomware Trojans rely on the Advanced Encryption Standard (AES for short) – an encryption algorithm that uses a symmetric key (the same key for both encryption and decryption). To avoid interception of the encryption key as it is sent from the command and control server, crypto-ransomware operators usually complement AES with RSA (an asymmetric key encryption algorithm). RSA generates a pair of complementary public-private keys – the public key is used for encryption and the private one for decryption. These keys are usually generated on the hackers’ server and only the public key gets sent to the victim PC. Since RSA is less resource-effective on big chunks of data, the public key is only used to encrypt a small, yet critical, piece of information: the encryption key used by the AES algorithm that is generated locally. The RSA-encrypted AES key is then prepended to the beginning of every encrypted file, along with the original file permissions and an initialization vector (IV) used by the AES algorithm.

The million-dollar flaw

We mentioned that the AES key is generated locally on the victim’s computer. We looked into the way the key and initialization vector are generated by reverse-engineering the Linux.Encoder.1 sample in our lab. We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA private key sold by the Trojan’s operator(s).

Automated decryption tool now available

Bitdefender is the first security vendor to release a decryption tool that automatically restores affected files to their original state. The tool determines the IV and the encryption key simply by analyzing the file, then performs the decryption, followed by permission fixing. If you can boot your compromised operating system, download the script and run it under the root user.

Here is a step-by-step walkthrough to get your data back:

– Download the script from the Bitdefender Labs repository [link updated to include the fix for the recent evolution of the ransomware]

(chances are that encryption also affected the system and you might need to boot from a live CD or mount the affected partition on a different machine)
– Mount the encrypted partition using the mount /dev/[encrypted_partition]
– Generate a list of encrypted files by issuing the following command: /mnt# sort_files.sh encrypted_partition > sorted_list
– Issue a head command to get the first file: /mnt# head -1 sorted_list
– Run the decryption utility to get the encryption seed: /mnt# python decrypter.py –f [first_file]
– Decrypt everything using the displayed seed: /mnt# python /tmp/new/decrypter.py -s [timestamp] -l sorted_list

Given the complexity of the task, we provide free support to any user in need of assistance. Just drop us a line via the comment form below and we’ll do our best to help you.

Today’s Takeaway

If your machine has been compromised, consider this a close shave. Most crypto-ransomware operators pay great attention to the way keys are generated in order to ensure your data stays encrypted until you pay. Mistakes such as the one described above are extremely fortunate, but also extremely rare. Next time, consider a couple precautions:

– Never run applications that you don’t completely trust as root user. This is a great security risk that will likely compromise your machine or the integrity of the data on it;
– Backup early, backup often. If your computer falls victim to ransomware, it would be better to simply restore the affected files from an earlier backup than to pay the decryption fee. Remember that easy money is the primary driver for crypto-ransomware operators to build these Trojans and perfect them in time. The less profit they make, the lower their interest in developing crypto-ransomware.

-If your Linux device is on an organization’s network, you might want to add a security solution such as Bitdefender Gravity Zone. An antimalware solution blocks this type of threat before it manages to irreversibly encrypt files.

Update your web applications as often as possible. This includes installations of WordPress, Magento or other third-party CMS apps that can be leveraged for remote code execution.

Decryption utility was available courtesy of Bitdefender cryptography specialist Radu Caragea. We would like to extend our thanks to Bitdefender antimalware researchers Codrut Marinescu, Razvan Benchea, Cristina Vatamanu and Alexandru Maximciuc.

182 Responses to Linux Ransomware Debut Fails on Predictable Encryption Key


  1. virender singh says:

    i have centos 5.8 and i hit by ransomware . i am newby please help me to resolve this issue

  2. tim says:

    When running the decrypt i’m getting an error.

    python decrypter.py –f /home/admin/.bash_logout.encrypted
    File “decrypter.py”, line 43
    with open(filepath, ‘rb’) as f:
    ^
    SyntaxError: invalid syntax

  3. Radu says:

    Tim, you seem to be using an older version of Python that does not have the “with” statement. The script was made for Python 2.7

  4. Arne says:

    very nice find. bitdefender 1 – 0 hackers

  5. tim says:

    ok, that did the trick. Thanks 🙂

    Copied encrypted files to box with python 2.7 first got the seed from the old box.

  6. 0xdeadbeef says:

    hackers hack (either white/black hat). Malware writers write malware. Crackers crack software and code serials. Let’s start naming things properly, please.

  7. Crow says:

    Good work, I’ll probably change the ToyOS(Win) home computers to Bitdefender.
    Hey, people has to play also 🙂

  8. Jan says:

    Hi! About half of the encryted files get decrypted just fine, but for the other half I get “IV not found for…” messages. What could be the possible cause of such behaviour?
    And when I generate encrypte file list(which is huge in our case), can I pick a block of files(particular project) from the middle of that list and run the script on that particular block only? Does it work this way?

  9. Jan says:

    One more comment. When I run decrypter.py script on full sorted file list it stops after some 10 minutes with following messages:

    Traceback (most recent call last):
    File “decrypter.py”, line 139, in
    sys.exit(main(**vars(options)))
    File “decrypter.py”, line 115, in main
    decrypt_files(seed, filelist)
    File “decrypter.py”, line 100, in decrypt_files
    decrypt_file(d, filepath)
    File “decrypter.py”, line 61, in decrypt_file
    old_mode = struct.unpack(“<I", f.read(4))[0]
    struct.error: unpack requires a string argument of length 4

  10. com says:

    Smart approach and doing the public a service, hats off!

  11. Radu says:

    Jan, it’s hard to say without further information. A few questions:
    – Can you pinpoint the exact file that the decryption doesn’t work anymore (IV not found message)? Can you check the files before and after it (in the sorted list) and see if there is any noticeable discrepancy in their timestamps?
    – Exactly how many files are in total? How many are decrypted ok and how many not at all?
    – Can you try changing line 92 in decrypter.py from “range(count * 2)” to something bigger such as 4 or 6 ? (“range(count * 6)”). Let’s see how that goes first.

  12. Pigsy says:

    How does it get to root? how does it get to home?

    Do I download a program and then run the program as root? Is it another one of these selling sand to Arabs? You understand anti-malware trying to sell anti-malware to everybody and anybody. Some people are just far too greedy for their own good.

  13. francesco says:

    great job, it works very well. But it does memory leak when it comes to process a lot of files in sorted_list.

    a temporary solution is adding swap to the server and modify decrypter.py decrypt_file function as the follow

    with open(decrypted_path, ‘wb’) as f:
    f.write(decrypted_content)
    del f
    del decrypted_content

  14. David Deppner says:

    One of my test servers got hit with this last week. I just tried this solution on a backup of the VM and can confirm that it works. Details of the attack are available here: http://daviddeppner.com/blog/magento-ransomware

  15. Jan says:

    Radu, Your suggestion to change line 92 as written above did not help. Instead I found out that the reason for Your script to stop with “struct.error: unpack requires a string argument of length 4” happens when encrypted file is for some reason shorter than decrypt_file(d, path) is trying to read from it. So basically script stopped when it ran into zero length encrypted file. I solved this one with adding a file size check as follows:

    with open(path, ‘rb’) as f:
    f.seek(0, os.SEEK_END)
    size = f.tell()
    f.seek(0, os.SEEK_SET)
    if size < 25:
    print 'File is too short, skipped… %s' % path
    f.close()
    return

    I thought that 25 is a good enough 🙂

    But I'm still struggling with te "IV not found for…" files.

  16. Radu says:

    Jan, I’ll drop you a mail shortly to discuss things in more detail.

  17. cFire says:

    I am also curious how it gets root access. Or does it just attempt to encrypt things and only succeeds if magento runs as root or your permissions are broken? Or does it actually have some privilege escalation mechanism?

  18. Aidus says:

    Same to Jan’s problem. A lot of files with “IV not found for…”

  19. Radu says:

    Jan, Aidus. We have identified the problem and we’re working on a fix.

  20. Bogdan Botezatu says:

    We have updated the article and the tool to work properly when the ransomware starts more than once on the same machine.

  21. Coder says:

    Hi, I follow all the steps, but when I try to “Find the seed” step, I get this error:

    Traceback (most recent call last):
    File “./decrypter.py”, line 142, in
    sys.exit(main(**vars(options)))
    File “./decrypter.py”, line 112, in main
    seed = find_seed(filename)
    File “./decrypter.py”, line 49, in find_seed
    key = f.read(key_sz)
    OverflowError: Python int too large to convert to C long

    Can you help me? Why occurs this?

  22. Radu says:

    Coder, what is the exact command you are running? (And can you please redownload and use the updated version of the decrypter archive?)

  23. Alin says:

    Hello ! In my case the things are a bit different.
    The attack was made through an abandoned Magento install.
    BUT – they encrypted ONLY the /var/www folder
    and only the apache owned files. The files owned by root were not encrypted.
    How should I know if this decrypter applies for me?

  24. Alin says:

    I cannot find the /tmp/new/decrypter.py path

  25. Alin says:

    I tried to run like this:
    # python decrypter.py -s 1446655061 -l sorted_list
    [!] The seed, filelist, and errorfilelist are all required

  26. Coder says:

    Hi, I try with the new version, but I get the same error. My steps were the following:

    root@kali:~/Escritorio# bash decrypter/sort_files.sh > sorted_list
    root@kali:~/Escritorio# head -1 sorted_list
    1446655006.0000000000 ./decrypter/pdf.encrypted
    root@kali:~/Escritorio# python decrypter/decrypter.py -f ./decrypter/pdf.encrypted
    Traceback (most recent call last):
    File “decrypter/decrypter.py”, line 182, in
    sys.exit(main(**vars(options)))
    File “decrypter/decrypter.py”, line 150, in main
    seed = find_seed(filename)
    File “decrypter/decrypter.py”, line 65, in find_seed
    iv_file, _ = parse_header(filepath)
    File “decrypter/decrypter.py”, line 49, in parse_header
    key = f.read(key_sz)
    OverflowError: Python int too large to convert to C long

    Am I doing something wrong?

  27. Coder says:

    Maybe, for the next reply, I can use the return key to be a little more readable. Sorry for that.

  28. Jan says:

    Latest script which I downloaded some half an hour ago(Decrypter_0-1.3), is unable to get seed from the first file of my sorted_list, it does not do anything at all. I have to stop the script with Ctrl-C. However older version 0.2 of the decrypter.py scipt provides correct seed from the same file with -f option instantly.

  29. Radu says:

    Jan, you need to leave it longer as it now accounts for the multiple seed case. I gave you more details in the mail yesterday but you haven’t responded

  30. Radu says:

    Coder, I dropped you a mail for further info. Please check your inbox

  31. Radu says:

    Alin, please read the README, you have step by step instructions there. (in your case you are missing the -e parameter from step 5)

  32. Alin says:

    Hi Radu ! Can you please help me with some tips on how to solve in my case?

  33. Alin says:

    sorry ! I just read your message above

  34. Jon says:

    decrypter 1.3 hangs and does nothing for files that 1.2 worked fine on. Deb 7, python 2.7. Sits on a read in strace and never completes.

  35. nik247 says:

    I can’ t get “seed” with both version too.
    First 3 files from step 3:
    # ls -l ./files/*
    -rw-rw-rw- 1 nik nik 2329 Aug 25 04:17 ./files/dhcp-mikrotik-static.sh.encrypted
    -rw-rw-rw- 1 nik nik 36211 Aug 25 04:17 ./files/forumdisplay.php.encrypted
    -rw-rw-rw- 1 nik nik 295618 Aug 25 04:17 ./files/fsbackup-1.2pl2.tar.gz.encrypted
    Step 4:
    # python decrypter_v2.py -f ./files/dhcp-mikrotik-static.sh.encrypted
    Traceback (most recent call last):
    File “decrypter_v2.py”, line 182, in
    sys.exit(main(**vars(options)))
    File “decrypter_v2.py”, line 150, in main
    seed = find_seed(filename)
    File “decrypter_v2.py”, line 65, in find_seed
    iv_file, _ = parse_header(filepath)
    File “decrypter_v2.py”, line 49, in parse_header
    key = f.read(key_sz)
    OverflowError: Python int too large to convert to C long
    # python decrypter_v2.py -f ./files/forumdisplay.php.encrypted
    Traceback (most recent call last):
    File “decrypter_v2.py”, line 182, in
    sys.exit(main(**vars(options)))
    File “decrypter_v2.py”, line 150, in main
    seed = find_seed(filename)
    File “decrypter_v2.py”, line 65, in find_seed
    iv_file, _ = parse_header(filepath)
    File “decrypter_v2.py”, line 49, in parse_header
    key = f.read(key_sz)
    OverflowError: Python int too large to convert to C long
    # python decrypter_v2.py -f ./files/fsbackup-1.2pl2.tar.gz.encrypted
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

  36. Aidus says:

    Hi Radu
    Trying to locate second seed in first file from error.list. Seems like script hangs.

  37. Radu says:

    The new version accounts for multiple infections and because of this takes significantly longer when finding the seed. It does not hang, please let it finish what it is doing.

    Also, please note that this decrypter ONLY works for Linux.Encoder.1. Trying files encrypted with something else will not work. (For example, someone sent me a file encrypted with TeslaCrypt; won’t work)

  38. nik247 says:

    Hi Radu.
    How I can detect encrypted with Linux.1.Encoder?

  39. Aidus says:

    Radu. I have decoded about 70% of files. 30% were encoded at the same time, so I think it is Linux1.Encoder too. Just maybe other seed. But script (finding seed in first file) is working more than 1 hour. Is that normal? Size of file is 5832 bytes.

  40. Radu CARAGEA says:

    Aidus, I sent you a mail for further info

  41. Alin says:

    IT WORKED !!!!!!

  42. Aidus says:

    Radu, sorry, don’t see email from you.

  43. Petschko says:

    Same here… it seems that step 4 isn’t working at all… It says Timestamp not found or it hangs for hours…is there a solution?
    In the most cases I can use the number that is displayed before the file in step 3 use the first numbers as seed to the dot. but sometimes it doesn’t and then I have to use step 4 but it wont work =/

  44. SysAdm says:

    Upon executing decrypter.py I get this error message:
    ImportError: No module named Crypto.Cipher I am running python 2.7.7 and I have python-dev package installed. Any ideas?

  45. Douglas de Souza says:

    Sorry, but, i dont understand the step-by-step walkthrough, i am in aws, and i have magento files cryption, i can´t mount another instance. What I really have to do? Sorry for my ignorance. Very limited. And I have no help from outside.Thanks in advance for the help.

  46. Jan says:

    Sysadm, Don’t know which Linux distro you have, but on Debian and alike systems it means just “apt-get install python-crypto” or something similar.

  47. Jan says:

    Also, I’m happy to report that I managed to decrypt all our files with the help of this particular script made by Bitdefender team. Thank You, it works.

  48. CDM says:

    My files say .gpg instead of .encrypted. Changing the script to look for gpg I get the first file to have been encrypted. Running the decrypter I only get memoryerror on line 49 (key = f.read(key_sz)

  49. SysAdm says:

    Ubuntu 14.04 – already installed python-crypto, pip freeze shows pycrypto==2.6.1

  50. Gera says:

    I have only backup a part of encrypted files before reinstall the server. There is no way to decrypt only files I still have?

  51. Javad says:

    My backup file in cPanel is infected. Can I download the backup and use your tool on a local machine? I’m not familiar with pyton or linux.

  52. Radu CARAGEA says:

    SysAdm, you have a system configuration problem most likely. So sorry, I can’t help you with that.

  53. Radu CARAGEA says:

    Gera, you need the original filesystem (with the original timestamps) to be able to decrypt files

  54. Bertil says:

    Hi, i am running in the following error while decrypting

    Traceback (most recent call last):
    File “./decrypter.py”, line 182, in
    sys.exit(main(**vars(options)))
    File “./decrypter.py”, line 156, in main
    decrypt_files(seed, filelist, errorfilelist)
    File “./decrypter.py”, line 127, in decrypt_files
    if decrypt_file(d, filepath):
    File “./decrypter.py”, line 98, in decrypt_file
    with open(decrypted_path, ‘wb’) as f:
    IOError: [Errno 13] Permission denied: ‘/srv/www/magento_3e/peler/phpmailer.zip’

    so there is a file wich the decrypter can not access – what solution do you suggest?

    Many thanks

  55. Radu CARAGEA says:

    Bertil, you do not have permissions for that directory. It says that it can’t create a new file with that path in order to write the decrypted content inside. Fix the permissions or run as a privileged user.

  56. Javad says:

    I wanted to thank you for creating this wonderful tool. I managed to run it on my server with the help of Sucuri team. Thanks again!

  57. Radu CARAGEA says:

    Javad, good to know you got your files back!

  58. Javad says:

    Is prycrypto required to run the script?

  59. Jeli says:

    Hi, my problem is that I dont have the first encrypred file/timestamp anymore. So I am trying to go backwards in the filechangedtime fron an enrypted file I still have by changing
    ts = int(os.path.getmtime(filepath))
    to
    ts = int(os.path.getmtime(filepath)) – 3600 * x

    I am realy no expert im python, so I would like to ask you, if I understood the script right and if this will work. Thanks for your Time an afford.

  60. Radu CARAGEA says:

    Jeli, you first need to find the timestamp (seed).

    If this file was encrypted among the first 10000 files within 3600 seconds of modification time it should find the timestamp. That is what the “find_seed” function does. So if you think that the file you require is among the first 10000 encrypted then you can try the step to find the seed on it. (You can add a print for the “i” variable at line 71 to see the search progress)

    But if you copied the file from somewhere else it will not work (the modification time changes)

  61. Luis Fernandez says:

    Hello,

    Many thanks!

    It worked like a charm in a infected server. It has saved many work hours to us

  62. Kautilya Fadia says:

    hi I’ve tried the same feature. although my server is still accessible as the infection ran as a vhost user and was able to infect only that vhosts files.
    But I ran the script on one of the file and it says
    [!] Seed not found! Timestamps corrupt?
    files were corrupted on 4th November aand haven’t been touched since. m running this script today on 18th November.. is that the issue?

    any help will be appreciated.

  63. Nik says:

    I think in “The million-dollar flaw” paragraph the last line that reads “without having to decrypt it with the RSA PUBLIC key” should be “without having to decrypt it with the RSA PRIVATE key”

  64. Radu CARAGEA says:

    Kautilya Fadia, I sent you an email to talk further. Check your inbox.

  65. Kautilya Fadia says:

    Finally got it working fine.

    got all files decrypted. thanks a lot guys.no words enough to thanks. saved our day. I’m happy to provide all I can to track the origin of the issue.

  66. Matthias says:

    Hello, Are there cases where a FreeBSD system was affected by the virus? Have you tested your tool on a recent FreeBSD? Thanks, Matthias

  67. Radu CARAGEA says:

    Matthias, the current script only works on the Linux version of the ransomware. It is possible to “port” it to FreeBSD by replacing the rand and __init__ functions in the script with equivalent functionality from the FreeBSD version of srand and rand.

  68. Maxim says:

    Hi, my files were encrypted (with extension .encrypted) on Nov 4 and never touched or modified since that. Today I ran this script (decrypter.py -f ./.htaccess.encrypted) to find the seed and it says:
    [!] Seed not found! Timestamps corrupt?

    What can be the issue? Any help will be appreciated.

  69. Matthias says:

    Radu, to do such a port, one would need to know if the bad guys use the same way of encryption and bits of storing the header of each file; and of course an encrypted file tree for tests. Is there such an attack known already.

  70. Radu CARAGEA says:

    Maxim, I’ll drop you an email shortly to help you out.

  71. ben says:

    [!] Seed not found! Timestamps corrupt?

    what else can i do?

  72. Aléssio Júnior says:

    Radu, CAREGEA, i have the same problem of Maxim and Kautilya.
    can you help me:

  73. Kautilya Fadia says:

    @Aléssio

    what I did to find time stamp is… place sort_files.sh in users home folder…

    run this with root user
    ./sort_files.sh / > sorted_list

    then run other instructions from the page.

  74. Mark says:

    My Cpanel/WHM server running CentOS 6.7 has been infected. I tried the tool, managed to generate the sorted_list but couldnt get past the decrypter step. Here are my steps.
    bash decrypter/sort_files.sh > sorted_list
    head -1 sorted_list
    1446654520.3479802050 ./.bash_logout.encrypted
    ./decrypter/decrypter.py -f /home/positive/.bash_logout.encrypted
    -bash: ./decrypter/decrypter.py: /usr/bin/python^M: bad interpreter: No such file or directory
    What am i missing please?

  75. Avo says:

    Hi

    I also get “[!] Seed not found! Timestamps corrupt?” error but i’m pretty sure that encrypted file timestamps are not changed. Can somebody help?

  76. Radu CARAGEA says:

    Mark, try running with “python ./decrypter/decrypter.py -f /home/positive/.bash_logout.encrypted”

  77. Radu CARAGEA says:

    Avo, see inbox.

  78. Mark says:

    Thanks Radu, that got it to run but i’m now getting another error. I see the same error was mentioned above but my host seems insistent that the system is all configured correctly.
    python ./decrypter/decrypter.py -f /home/positive/.bash_logout.encrypted
    Traceback (most recent call last):
    File “./decrypter/decrypter.py”, line 8, in
    from Crypto.Cipher import AES
    ImportError: No module named Crypto.Cipher

  79. Mark says:

    Just an update- I transferred my files off the server to a machine running Xubuntu and the script is working. For what ever reason it wouldnt run on centos alongside cpanel. My issue now is similar to others above with seed not found error. I’m pretty sure my timestamps are unaltered as i compressed all the files before transferring and extracted them directly to my xubuntu machine. The created/modified time etc all matches up with my original encrypted files. Would anyone be able to help with this?

  80. Matt says:

    Radu!!!! Help me please.
    I got
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?
    But its not changed!

  81. Claudio says:

    Hi,
    my error is :
    File “./decrypter/decrypter.py”, line 8, in
    from Crypto.Cipher import AES
    ImportError: No module named Crypto.Cipher
    Please help me!

  82. Matt says:

    Hello! Is anybody here? Please, help

  83. Claudio says:

    Hi, i get a decripter file but not work.
    how to decrypt file without a host file using a key.pem?
    is possible with openssl? how to? please help me!

  84. Igor says:

    python decrypter.py -f ./web/***.ru/public_html/media/media/images/file_32.png.encrypted
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    What me doing?

  85. MUD says:

    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    I have tried all above methods.

  86. Duxer says:

    Hi!
    I also have the same problem:
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

  87. Sébastien says:

    Hi,

    Thx in advance for the help.

    I get this message while running decrypter.py:
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    The header seems to detect a valid timestamp:
    1174721220.0000000000 /var/www/utils(…)encrypted

    Thank you for the help!
    Sébastien.

  88. tom says:

    it appears that the original flaw with the virus has been modified, as by running the suggested scripts i get the
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    error messages. any updates from bitdefender in eveluating if the prior method of unlocking is even appropriate nay more?

    thanks
    tom

  89. KR says:

    I get the following Error. Do you have a solution for me?

    Traceback (most recent call last):
    File “decrypter.py”, line 182, in
    sys.exit(main(**vars(options)))
    File “decrypter.py”, line 150, in main
    seed = find_seed(filename)
    File “decrypter.py”, line 65, in find_seed
    iv_file, _ = parse_header(filepath)
    File “decrypter.py”, line 49, in parse_header
    key = f.read(key_sz)
    OverflowError: long int too large to convert to int

  90. Tom says:

    Hi, I’m also getting:

    “[!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?”

    Do you have any pointers for this?

  91. Tony Gallacher says:

    Hi. We have all of our web sites hosted on our Linux servers encrypted with the Linux.encoder. Your instructions are very clear but as I am fairly new to this I wondered if I needed to backup all the encrypted files first as a precaution before attempting to decrypt the files

  92. Tony Gallacher says:

    I ran the sort_files.sh and then head -1 sorted list and it displayed 0.0000000000 /var/www/vhosts/ns333218.ip-37-187-159.eu/stfinianscc.ie/license.php.encrypted. Should this display a number instead of 0.

  93. Ram V says:

    I am getting the following errors:

    python decrypter.py -f ./LICENSE.txt.encrypted
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    Can you please help me resolve this? I am stuck at this point.

    Thanks,
    Ram

  94. Jose A says:

    I’m getting this error:

    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    Any idea?

  95. Jose Bravo says:

    Thanks Radu for this script!
    I’m getting this error running it to the first line of my sorted.list
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    The attack only affected the /home/user directory, I want to know if the timestamp that we need is the of the first file it did encrypt or the one it did the try to encrypt. I ask that, because the script MAY BE tried to encrypt a file where script doesn’t have permissions to write and if that the case the tiemestamp will be hard to know.

    Is there any way to bruteforce the tiemestamp between a range?

  96. Tony Gallacher says:

    I tried running the python decryptor/decrypter.py -f /var/www/vhosts/ns333218.ip-37-187-159.eu/stfinianscc.ie/license.php.encrypted

    and got the following.
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    Any thoughts

  97. Tony Gallacher says:

    I just noticed in a previous response that the script only runs with python 2.7. I have python 2.6 installed will I need to update to python 2.7 to run the script

  98. Radek says:

    Hi Radu, i am getting the same error during the seed generation as Coder had

    Traceback (most recent call last):
    File “./decrypter.py”, line 142, in
    sys.exit(main(**vars(options)))
    File “./decrypter.py”, line 112, in main
    seed = find_seed(filename)
    File “./decrypter.py”, line 49, in find_seed
    key = f.read(key_sz)
    OverflowError: Python int too large to convert to C long

    I am on Debian jessie. Many thanks for any help!

  99. Dario Fadda says:

    Hi, this virus has encrypted all my work files. When I try to generate the seed, the script replies:

    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    How is it possible? I’m not change any files.

  100. Redheart says:

    Hi Radu

    I’m getting this error running it to the first line of my sorted.list
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    I tried it on more lines of the sorted.list but no luck

    Can you please help me ?

  101. Dario Fadda says:

    Now I’ve updated python and rerun script as new and the error is:

    OverflowError: Python int too large to convert to C long

    How can I to bypass this?

  102. Rory says:

    I get the following error:
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    It looks like the the timestamps have not been modified by the encryption process as the first file in the list was last modified in 2010, is there another way to find the file with the seed?

  103. Diego says:

    I get the following error:
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    Is anything else I can do?

  104. Matt says:

    Guys, as i understand, there are 2 different script must be. i check the python code, if you has error:
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    Possible its another format of encrypted file (function parse_header). Possible, somebody know?

  105. Welington says:

    Hi, my files were encrypted (with extension .encrypted) on Dec 30 and never touched or modified since that. Today I ran the script to find the seed and it says:

    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    What can be the issue? Any help will be appreciated.

  106. Radu CARAGEA says:

    Good news. The new ransomware campaign from Dec 30 has also been cracked. Check the article here for details and decryption utility: http://labs.bitdefender.com/2016/01/third-iteration-of-linux-ransomware-still-not-ready-for-prime-time/

  107. Redheart says:

    Thanks Radu it works.

    Do you think they will update the decrypter to work with a list of file names ?

  108. Radek says:

    Radu! Many thanks! The tool works great. Although or servers are used for non-profit means, is there any way we can express our gratitude except making the servers more secure and better backup?

  109. ARTIst says:

    Hello, i have same problem on my hosting.
    [!] File is probably truncated
    [!] Seed not found! Timestamps corrupt?

    I have no root rights… Help pls!!!

  110. Radek says:

    @Redheart
    take a look at the discussion under the link Radu provided, there is a script that works with the list of files. Hope that helps

  111. Redheart says:

    Thanks Radek.