Those infected with the recently released ransomware for Linux should thank researchers from Bitdefender as they have created a tool that can decrypt victims’ files. They did this by discovering a major flaw in the implementation of their encryption algorithm.
The Linux.Encoder.1 ransomware works by using the Advanced Encryption Standard (AES), which is then encrypted too by using an asymmetric encryption algorithm, RSA. This algorithm has two keys, a public key to encrypt data and a private key to decrypt it. Only the public key is sent to the infected systems and the private is retained by the attackers. However, researchers realized that once the AES keys have been generated, the program has a source of weak data-time and date. This time stamp determines when the key files were created and researchers can reverse the process and recover the AES key. The tool created by Bitdefender determines the initialization vectors as well as the AES encryption keys by analysis of the files and fixing their permissions on the system. You can find complete instructions on how to use the tool on their blog post.