[sf-lug] Ransomware threat to Linux servers
Michael Paoli
Michael.Paoli at cal.berkeley.edu
Tue Nov 10 01:56:17 PST 2020
> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: Re: [sf-lug] Ransomware threat to Linux servers
> Date: Mon, 9 Nov 2020 16:59:22 -0800
> Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):
>
>> <https://www.zdnet.com/article/linux-version-of-ransomexx-ransomware-discovered/>
> Article says RansomEXX is an 64-bit ELF binary that, when run, encrypts
> file with 256-bit AES.
Oooh, wowie! Just like I can do with, ... oh ... openssl, for
instance:
$ cd $(mktemp -d)
$ cat /usr/share/dict/words > file
$ openssl rand -base64 20 > password
$ ls -i file
118567702 file
$ dd if=file ibs=1048576 2>>/dev/null | openssl enc -aes256 -pass
file:password -salt -iter 8 | dd conv=notrunc obs=1048576 of=file
2>>/dev/null
$ head -c 80 file | cat -vet; echo
Salted__M-9M-eM-^M'^SM-^@M-'M-^NM-^H^IM-)7m$
M-^L\M-^ZM-^SM-tF3M-^GM-TM-:M-Rf^ZgM-^YM-^MM-^HM-EkM-^A!M-G5M-<M-^RoM-hM-KM-^ZM-^AM-Q|{U<M-^UM-)<M-lM-^_<bM-^W/^VM-YM-Zl^@M-b^PMnqM-^]M-"M-,>
$ tail -c 80 file | cat -vet; echo
z3M-\g{^K^TkM-^[M-'whM-Y^GM-hM-ZM-^X2M-*\yA][M-aM-DM-9M-4M-yM-opM-'OM-uM-bM-.f1M-^XM-~M-+M-MM-u@^[M-KM-^OM-4M-^Q?M-P^\M-{fM-!M-TkM-FM-^F3TM-^LiM-^CM-GM-kuM-io_M-=M-^ZM-ZAM-M-M-7M-^Gk7
$ dd if=file ibs=1048576 2>>/dev/null | openssl enc -aes256 -pass
file:password -d -salt -iter 8 | dd conv=notrunc bs=1048576 of=file
0+234 records in
0+234 records out
972398 bytes (972 kB, 950 KiB) copied, 0.00792452 s, 123 MB/s
$ truncate -s 972398 file
$ cmp /usr/share/dict/words file
$ ls -i file
118567702 file
$ dd if=file ibs=1048576 2>>/dev/null | openssl enc -aes256 -pass
file:password -salt -iter 8 | dd conv=notrunc obs=1048576 of=file
2>>/dev/null
Please send your 300 trillion USD to bitcoin address: ...
within the next 5ms, otherwise I won't give you the
password to be able to decrypt file.
$ rm password
$
Too late.
So, ... tell me again how this RansomEXX thing is news?
Yeah, ... not.
More information about the sf-lug
mailing list