Hello, welcome to the Monday, February 25th, 2019 edition of the Sands and the Storm Center's Stormcast. My name is Johannes Ulrich, and I'm recording from Augusta, Georgia.

When we talk about ransomware, we often talk about Windows systems getting infected by your standard mal-spam or users visiting suspect

websites but ransomware also affects servers and we have two stories about this today the first one

is about what's referred to as the Prontock Ransomware so far.

It appears to only affect Linux servers so far.

However, very little is known about this ransomware, so not necessarily sure whether it's

targeting the Linux servers, how it's targeting them.

In the past, Linux ransomware has often just been uploaded using either

standard vulnerabilities like triple of course we had a recent one or weak passwords what's a little bit

different about this ransomware is that it also encrypts the file names. But of course, encrypted file names may include binary.

Characters are not printable or allowable as a file name.

So what they're doing actually, they're then URL encoding these file names to allow for these odd byte values.

Also, the files themselves appear to be encrypted and then base 64 encoded.

Not really sure why they do this, but maybe again they're trying to make this a little bit

easier on the encoding side or just the crypto library that they used produces basics

the four encoded output.

The second ransomware targeting Linux devices goes according to the pleading computer forum

by the name of Cryptor and targets ancient D-Link devices, in particular DNS 320 devices using a vulnerability

that was originally discovered in 2012.

However, these DNS 320 devices are no longer supported and I don't think that an updated firmware was ever released

for these devices. So if you still have one, then you are very vulnerable. On the other hand,

not to be clear if any unexploited vulnerable devices are still around. The exploit is trivial.

...