Linux.Encoder.1
Linux.Encoder (also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A) is considered to be the first ransomware Trojan targeting computers running Linux.[1] There are additional variants of this Trojan that target other Unix and Unix-like systems. Discovered on November 5, 2015, by Dr. Web, this malware affected at least tens of Linux users.[2]
Linux.Encoder.1 is remotely executed on the victim's computer by using a flaw in Magento, a popular Content management system app. When activated, the malware encrypts certain types of files stored on mounted local and network drives using AES and RSA Public-key cryptography, with the private key stored only on the malware's control servers. The malware then store a file called "readme_to_decrypt.txt" in every directory, containing a message, which offers to decrypt the data if a payment (through Bitcoin) is made.[3] Compared to other ransomware such as CryptoLocker, the malware does not state a deadline to pay and the ransom does not increase over time.