How to Win Over Linux Encoder Ransomware?

How to Win Over Linux Encoder Ransomware?

Ransomware is everywhere these days. No longer confined to computers, its attacking people’s phones and, via Android, is even holding smart TVs to ransom. And it’s also been attacking Linux servers. In this article, we’ll explain what ransomware is, how it infects Linux servers and what you can do to eradicate the Linux Encoder Ransomware infection and protect yourself from further infection in the future.

What is Ransomware?

In simple terms, ransomware is malicious software that prevents you accessing your device until you have paid a ransom. The most common way it does this is by encrypting the files on your computer. Once you have paid the ransom, usually in Bit Coins, you receive a key which will remove the encryption for you and restore your computer.

Ransomware is a growing problem. It no longer just attacks personal computers but now also encrypts servers belonging to large organisations. A recent attack on a hospital in Los Angeles encrypted their entire network, including patient records, and forced them to pay over $17,000 in ransom fees.

Ransomware continues to be developed and become ever more sophisticated. It is particularly good at hiding itself from antivirus software, so can frequently infect devices without detection. What has made it more of a menace in recent years is that the software is now available for sale on the dark web and is being used by larger numbers of criminals who are eager to get in on the gold rush.

Originally limited to Windows OS, ransomware has now crossed over to Mac, Android and Linux, meaning it has the ability to affect the most common mobile OS and the Linux servers on which the majority of the world’s systems and websites are run.

What is Linux Encoder ransomware?

Linux Encoder is a Trojan that installs crypto-ransomware on your Linux server via a security hole in the Magento e-commerce platforms. The software is remotely activated and, once installed, encrypts and renames all the files on your server. It then adds a file to each of your directories called ‘README_FOR_DECRYPT.txt’ (see image below) which gives you instructions on how to pay the ransom and unscramble your files.

<a title=”By Arthur2968 (Own work) [CC BY-SA 4.0 (], via Wikimedia Commons” href=””><img width=”512″ alt=”RansomMessage” src=””/></a>

Despite its name, Linux Encoder, is not a problem with Linux based servers, per se. As the security hole is in the Magento software, Linux servers which do not have Magento installed are not at risk.

The impact of ransomware on Linux servers

The process that Linux Encoder uses to encrypt is as follows. Firstly, the malware encrypts all of the files in the home directories as well as any directories related to website administration. After this, the software works its way through the entire file system, beginning with the directory from where it was launched and then moving to the root directory (“/”). From here, it only encrypts files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.

Once the files are encrypted you will have no administration access to your website and because your files are encrypted, your website or system will be offline.

Whilst not all cases are reported, of those that were, the economic cost to businesses caused by this kind of infection was in the region of $18m over the last twelve months – and this was just in the USA.

Defeating the threat

Luckily, the Linux Encoder is can be eradicated, so there is no need to pay the ransom. An error in the way the Trojan operates means that the encryption key you are supposed to pay the ransom for is actually generated on your server; and the information you need to generate the key can be retrieved by looking at the file’s time-stamp.

Whilst eradicating the Trojan and restoring the files is a fairly easy task for encryption professionals, for most people it would be a technically challenging process. Thankfully, the antivirus company, Bitdefender, has created a free script to obtain the Linux.Encoder key.

Once you have downloaded the script, here are the instructions to use it.

  1. Boot your ransomed server, download the script and run it as root. (If you are unable to boot, download the script and decompress the file to a Linux live USB stick. Mount the encrypted partition using the shell command: mount /dev/[encrypted_partition]
  2. Generate a list of encrypted files with the following command: /mnt# encrypted_partition > sorted_list
  3. Issue a head command to get the first file: /mnt# head -1 sorted_list
  4. Run the decryption utility to get the encryption seed: /mnt# python -f [first_file]
  5. Decrypt all the other infected files using the displayed seed: /mnt# python /tmp/new/ -s [time-stamp.] -l sorted_list

Security measures to avoid ransomware infection

The vast majority of Magento users were protected from ever getting infected by the Linux Encoder Trojan because six months before the ransomware emerged, the Magento developers had already spotted the vulnerability and produced a patch that would remove the security hole entirely. If you are still using an outdated version of Magento, you should update to the latest version now to avoid any chance of the ransomware infecting your server.

Luckily, there are few other ransomware threats that aim directly at Linux OS, instead, it is usually vulnerabilities in the software which is run on them where security holes are to be found. To avoid infection, you should aim to do the following:

  • Always keep your software up to date. This includes plugins and themes.
  • Make sure that you use strong passwords to prevent brute force attacks.
  • Use a vulnerability scanner, like MTvScan, to make sure that your server is monitored for threats and use a firewall.
  • Always make sure that you have a complete backup of your files, software and database. If you are infected, you may need to rebuild your site from scratch and a backup will make this a relatively easy and pain free process.


From reading this article, you should now understand what ransomware is and, specifically, what the Linux Encoder Trojan is and how it infects your Linux server. You should also be aware of how to eradicate the Trojan from your system and what to do in future to protect your Linux server from further ransomware infection.

If you are looking for Linux hosting that comes with a range of security features take a look at our range of Linux VPS Server packages. In addition, see how our flexible and secure backup service can help you put your disaster recovery plans into place.


Pin It on Pinterest

Share This