- 21e4dc8307109bdd3a31292c655bb4cb152520cd (x86_64)
- 989750746f58904c377ba7edc22c5dfad3e40855 (UPX, x86_64)
- cccec1a6ee56741745adac5d190c30cadb7eea5b (x86)
- f1b8da40feb1abeaa1b7f1322f48f9d96a018a00 (UPX, x86)
Encryption ransomware for Linux written in C using the PolarSSL library. It is an advanced modification of Linux.Encoder.1 and Linux.Encoder.2. However, in this version cybercriminals implemented some other features as well:
- Encryption mode is changed to AES-CBC-256.
- The Trojan restores dates of files creation or modification to those that were before the encryption.
An encryption key for every file is generated from two buffers: one is permanent and is created based on parameters of an encrypted file; and the other is based on 32 random numbers received by sequential call of the rand() system function.
Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.