The ransomware is currently being called “Linux.Encoder.1,” and security firm Doctor Web has reportedly seen it bite only a handful of websites so far. Victims are currently in “at least tens,” but each time it locks down a website, it demands one Bitcoin in payment. With the recent uptick in value, that’s about $500.
Many of the infected systems were accessed through a vulnerability in the Magneto CMS. A patch was issued to close this security hole on October 31st, but not all users will get the new version installed right away. The funds from the first wave of attacks could also be used to purchase a previously undisclosed exploit, which could widen the scope of attacks.
In each directory it encrypts, Linux.Encoder.1 helpfully leaves a text file called README_FOR_DECRYPT.txt (see above). This is the ransom note. It explains that the contents of the server are encrypted, and in order to recover the files, you’ll need to pay one Bitcoin to the attackers at a specific Bitcoin address. It provides an address linked to a deep web using a Tor2web redirect.
If the victim pays up, the attackers say they’ll provide the decryption key to access all the locked files. That, of course, assumes you believe they will follow through. This process isless sophisticated than some previous ransomware attacks, and the files in question might be of greater commercial value. That makes it more likely owners of the web servers will pay the ransom. The best way to avoid being scammed by this malware is to keep your security up to date and have a backup of your important server files stored in a different location.