Magento is new target for KimcilWare ransomware
Magento users need to stay alert against KimcilWare ransomware, which has now begun targeting them.
The malware encrypts servers and demands a ransom in Bitcoin from webmasters to restore functionality.
If a cyberattacker is able to compromise the server-side aspect of a Web domain, they may be able to steal sensitive data, infiltrate databases and potentially hijack websites as a result.
In e-commerce cases, the scenario can be worse as financial information may be involved.
Further research turned up two support requests where people were asking for help after discovering their server was encrypted. Though there were differences between these two cases, the one similarity was that both ransom notes contained the tuyuljahat@hotmail.com email address and both were web sites using the Magento platform.
It is apparent that this tuyuljahat actor has been hacking Magento servers for at least the past month and installing a script that encrypts the data on the web site. When attacking the sites they they have used at least two different scripts to encrypt the data.
One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files. It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD. You can see an example of a folder encrypted with the KimcilWare script below.
The other script will append the .locked extension to encrypted files, but does not replace the index.html with a ransom note. Instead it will create a file called README_FOR_UNLOCK.txt in every folder, which contains the ransom instructions below.
ALL YOUR WEBSERVER FILES HAS BEEN LOCKED
You must send me 1 BTC to unlock all your files.
Pay to This BTC Address: 1xxxxxxxxxxxxxxxxxx1xx11xxxxx1xxx
Contact tuyuljahat@hotmail.com after you send me a BTC. Just inform me your website url and your Bitcoin Address.
I will check my Bitcoin if you realy send me a BTC I will give you the decryption package to unlock all your files.Hope you enjoy ;)
The ransom amount of the Locked version is 1 bitcoin or approximately $415 USD.
At this point there is no information on how the servers are being hacked, though one victim felt it was related to the Helios Vimeo Video Gallery extension. This has not been confirmed.
Though Magento had posted a security notice in November 2015 about Magento servers being hacked to install ransomware, there is no official response regarding the current attacks at this point.
At this stage, it is not known how the malware is managing to infect Magento domains, and there is no cure for the infection. Infected users should consider reverting to backups to wipe clean the infection. But as always ensure your Magento install is up to date, we can provide an update service if required, please raise a support ticket to ask about pricing,
KimcilWare appears to be a variation of Hidden Tear, an abandoned open-source ransomware sample created for educational purposes.