Here’s a bad news for people who operate a web server that runs on Linux.
A new attack, FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins (around $1,150) from the administrators to restore them. In this attack, attackers claim the files are first encrypted and uploaded to a server under their control.
The malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files. Another program called Linux.Encoder first appeared in November and encrypted files but due to its poor method, researchers easily created recovery tools.
Victims first learned about this attack when they discovered their websites were down. When they logged into their Linux servers, they discovered that the website folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contained a link to a further ransom note on pastebin.
The content of the READ_ME.txt file is:
“Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!”
The ransom note on pastebin requests that the victim pays the ransom to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back failing which they can leak them to the internet. They are also told that they can email fairware@sigaint.org with any questions.
It isn’t clear yet if the attackers actually possess copies of the deleted files nor is it clear if this is some sort of automated attack, one that simply scans the internet at large and infects where it can or if the attacks are focused.
Mostly these attacks do not have drastic consequences but it is unlikely for many server operators to take the chance. To escape this attack, it is advisable to have a good backup so that the server cannot be affected. For this, the users can just install the OS fresh, restore from backup, and monitor the situation. That's a lot better than shelling out $1,150 to thieves, who might not actually still have your data.
Webmasters should keep in mind that backups must be saved to an offsite location, not on the production server where they can be affected by a potential server compromise.
Till now this attack has been acting as a backup reminder for web operators, as the longer you go without updating, the greater the chance of your server becoming compromised.