My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2016-01-07

Virus description added:


  • 21e4dc8307109bdd3a31292c655bb4cb152520cd (x86_64)
  • 989750746f58904c377ba7edc22c5dfad3e40855 (UPX, x86_64)
  • cccec1a6ee56741745adac5d190c30cadb7eea5b (x86)
  • f1b8da40feb1abeaa1b7f1322f48f9d96a018a00 (UPX, x86)

Encryption ransomware for Linux written in C using the PolarSSL library. It is an advanced modification of Linux.Encoder.1 and Linux.Encoder.2. However, in this version cybercriminals implemented some other features as well:

  1. Encryption mode is changed to AES-CBC-256.
  2. The Trojan restores dates of files creation or modification to those that were before the encryption.

An encryption key for every file is generated from two buffers: one is permanent and is created based on parameters of an encrypted file; and the other is based on 32 random numbers received by sequential call of the rand() system function.

Doctor Web security researchers have developed a new technique that, in most cases, can help decrypt files compromised by the malware.

News about the Trojan

Curing recommendations


After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Free trial

One month (no registration) or three months (registration and renewal discount)

Download Dr.Web

Download by serial number