It has been reported that a ransomware program deletes files from web servers. Besides deleting the files, they have been asking administrators for money for the files to be returned to them. However, it is now clear if they actually return them.
The new malware is dubbed as FairWare. It is not the first ransomware threat to target Linux-based web servers, however, this is one of the first that deleted files.
Another malicious program called Linux.Encoder began encrypting files last November but it did not last long due to a buggy encryption which allowed researchers to develop a fix immediately.
Once the attacker has gained access and deployed FairWare, they delete the entire web folders and ask for two bitcoins as ransom which amounts to $1,150 for them to restore it. This has been reported in a blog post from www.bleepingcomputer.com.
It has been identified that a ransom note is being left on the server of the victimized system. They claim that before being deleted from the compromised server, the files have been encrypted and uploaded to another server which is under their control.
The ransom note read “We are the only ones in the world that can provide your files for you!” The payment must be made within two weeks.”
Although they have stated that they have copies, there is no concrete proof that they do have them. This makes the administrators/users think twice before paying the 2 bitcoin ransom.
They have attempted to contact the email address on the ransom note and asked for proof like seeing the files first, but their request have been ignored.
It is a common practice of server administrators to perform numerous backups. Besides the fact that web hosting providers also include backup protocols as part of their service.
On top of that, Webmasters who run their own servers, should keep in mind that must be saved to an offsite location or cloud based services to avoid their server to be fully compromised.
Although multiple backup routines and protocols are in place, these types of ransomware infections pose as a major concern and should be immediately investigated by the server administrator to be able to find the weakness in the system which caused the breach in the first place.
Most common causes are vulnerabilities on the website or stolen credentials, and possibly weak credentials or brute force attacks.
The malware attackers claim that they have copies but have not been confirmed as of this writing, so do not immediately give in to their demands and exhaust all possible options before falling for their ransom tactics.
