Ransomware in Nepal Government Server

Recently Rigo technology researchers has found a ransomware, a malware which has infected Nepal Government web server mofa.gov.np. This malware encrypts the file of the victim and asks for the ransom to decrypt victim files, folder or computer. After researching about this ransomware in open source ransomware finder ID-ransomware, it is detected as KeRanger but KeRanger is developed for Mac OX so we look more for this variant and found it is Linux.Encoder.

What is Linux.Encoder?

Linux.Encoder is ransomware family that was first discovered by Dr.Web, a Russian antivirus company last November. The ransomware only targeted Linux machines and looked to encrypt files specific to Web servers and source code repositories.

Later on, it was discovered that Linux.Encoder was based on the Hidden Tear ransomware family, open-sourced and uploaded on GitHub by Turkish security researcher Utku Sen for educational purpose. This malware relies on a security hole in the Magento web e-commerce platform to infect the machine.

How Linux.Encoder Encryption process works?

When a user installed and executed the malicious version of the Transmission application, an included file called General.rtf was copied to ~/Library/kernel_service and executed. General.rtf is the main executable for theLinux.Encoder ransomware and was masquerading as a RTF document. Once this file is copied to kernel_service and executed it will create two files called ~/Library/.kernel_pidand ~/Library/.kernel_time. The kernel_pid file contains the process ID for the running kernel_service process and the .kernel_time file will contain a timestamp of when the ransomware was first executed.

Malicious General.rtf File

Linux.Encoder will then sleep for three days and by comparing the current time with the timestamp stored in the .kernel_time file, will awaken after three days have passed.  Once awakened, Linux.Encoder will contact one of three TOR Command & Control servers and send information about the machine and receive an encryption key that it will use to encrypt the victim’s files.

Once an encryption key is received from the Command & Control server,Linux.Encoder will scan all of the files under  the /Users and /Volumes folders for files that contain certain extensions.  Due to its scanning of the /Volumes folder, any external drives plugged into the computer would also be scanned and encrypted. When a matching file is found it will encrypt it using AES encryption and add the .encrypted extension to the filename. For example, test.jpg would become test.jpg.encrypted.

Encrypted Documents

The file extensions targeted byLinux.Encoder are:

.3dm, .3ds, .3g2, .3gp, .7z, .ab4, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .ads, .ai, .ait, .al, .apj, .arw, .asf, .asm, .asp, .asx, .avi, .back, .backup, .bak, .bank, .bay, .bdb, .bgt, .bik, .bkf, .bkp, .blend, .bpw, .cdb, .cdf, .cdr, .cdx, .ce1, .ce2, .cer, .cfp, .cgm, .class, .cls, .cmt, .cnv, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cs, .csh, .csl, .csv, .dac, .db, .db3, .dbf, .dbr, .dbs, .dc2, .dcr, .dcs, .dcx, .ddd, .ddoc, .dds, .der, .des, .design, .dgc, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .ebd, .edb, .eml, .eps, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flv, .fm, .fp7, .fpx, .fxg, .gdb, .gray, .grey, .grw, .gry, .hbk, .hpp, .ibd, .idx, .iif, .indd, .java, .jpe, .jpeg, .jpg, .kdbx, .kdc, .key, .laccdb, .lua, .m4v, .maf, .mam, .maq, .mar, .maw, .max, .mdb, .mdc, .mde, .mdf, .mdt, .mef, .mfw, .mmw, .mos, .mov, .mp3, .mp4, .mpg, .mpp, .mrw, .mso, .myd, .ndd, .nef, .nk2, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nwb, .nx1, .nx2, .nyf, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .oil, .one, .orf, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pages, .pas, .pat, .pbo, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pip, .pl, .plc, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx, .ppt, .pptm, .pptx, .prf, .ps, .psafe3, .psd, .pspimage, .ptx, .pub, .puz, .py, .qba, .qbb, .qbm, .qbw, .qbx, .r3d, .raf, .rar, .rat, .raw, .rdb, .rm, .rtf, .rwz, .sas7bdat, .say, .sd0, .sda, .sdf, .snp, .sql, .sr2, .srf, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tex, .tga, .thm, .tlg, .txt, .vob, .vsd, .vsx, .vtx, .wav, .wb2, .wbk, .wdb, .wll, .wmv, .wpd, .wps, .x11, .x3f, .xla, .xlam, .xlb, .xlc, .xlk, .xll, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xpp, .xsn, .yuv, .zip, .tar, .tgz, .gzip, .tib, .sparsebundle

In each folder that a file is encrypted,Linux.Encoder will also create a ransom note titled README_FOR_DECRYPT.txt. This ransom note contains information on what happened to the victim’s files and instructions on making the payment.


Inside the ransom note is the address for the TOR payment site that the victim’s must connect to in order to pay the ransom and download the decryptor. This payment server is described in more detail in the next section.

Finally,Linux.Encoder will create a file called ~/Library/.kernel_complete that contains the string “do not touch this”. The presence of this file is to probably indicate that the computer has already been encrypted and that further executions of the ransomware do not encrypt the same data another time.

How to decrypt Linux.Encoder ?

Bitdefender is the first security vendor to release a decryption tool that automatically restores affected files to their original state. The tool determines the IV and the encryption key simply by analyzing the file, then performs the decryption, followed by permission fixing. If you can boot your compromised operating system, download the script and run it under the root user.

Here is a step-by-step walkthrough to get your data back:

– Download the script from the bitdefender. [link updated to include the fix for the recent evolution of the ransomware]

(chances are that encryption also affected the system and you might need to boot from a live CD or mount the affected partition on a different machine)
– Mount the encrypted partition using the mount /dev/[encrypted_partition]
– Generate a list of encrypted files by issuing the following command: /mnt# sort_files.sh encrypted_partition > sorted_list
– Issue a head command to get the first file: /mnt# head -1 sorted_list
– Run the decryption utility to get the encryption seed: /mnt# python decrypter.py –f [first_file]
– Decrypt everything using the displayed seed: /mnt# python /tmp/new/decrypter.py -s [timestamp] -l sorted_list

Note: We have already informed about this issue to the server owner and the resource person of Nepal Government.


Manish Dangol

Leave a Reply

Your email address will not be published. Required fields are marked *