A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, they probably just upload it to a server under their control.
Victims have reported that they first learned about this attack when they discovered their web sites were down. When they logged into their Linux servers, they discovered that the web site folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contains a link to a further ransom note on pastebin.
The content of the READ_ME.txt file is:
Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!
The ransom note on pastebin requests that the victim pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back. They are also told that they can email fairware@sigaint.org with any questions.
The full content of the FairWare ransom note is:
YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE
Hi,
Your server has been infected by a ransomware variant called FAIRWARE.
You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked!
We are the only ones in the world that can provide your files for you!
When your server was hacked, the files were encrypted and sent to a server we control!
You can e-mail fairware@sigaint.org for support, but please no stupid questions or time
wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as:
"can i see files first?" will be ignored.
We are business people and treat customers well if you follow what we ask.
FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/
HOW TO PAY:
You can purchase BITCOINS from many exchanges such as:
http://okcoin.com
http://coinbase.com
http://localbitcoins.com
http://kraken.com
When you have sent payment, please send e-mail to fairware@sigaint.org with:
1) SERVER IP ADDRESS
2) BTC TRANSACTION ID
and we will then give you access to files, you can delete files from us when done
Goodbye!
At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first.
Update 9/1/16: It has been discovered that Fairware is being installed via hacked Redis servers. More information can be found here: Hacked Redis Servers being used to install the Fairware Ransomware Attack
Comments
inkoalawetrust - 7 years ago
Wait so it affects websites or normal users too?
zocton - 7 years ago
My apologies, I posted my reply as its own comment. (See below)
zocton - 7 years ago
It affected a server that was running Linux, which is why it affected their website as opposed to an actual user. Now, which flavours of Linux does it affect? Are one of those flavours similar enough to the flavour you are currently running? These are the real questions. I would not worry about it too much at this time, if you are solely a home user.
Lawrence Abrams - 7 years ago
Agreed. This appears to be solely targeted at Linux users/servers running web sites. As more info is discovered, we will be sure to let everyone know.
DodoIso - 7 years ago
Considering the limited damage, this would suggest a web server vulnerability or a web user hacked password. Which web server? And which version?
The last message of the BC thread suggest a SSH brute force attack. If so, I would suspect just the bad side effect of bad configuration files. Definitely a bad idea to let any user access through SSH, especially web & root.
Slethen - 7 years ago
I got this on an up-to-date Ubuntu 14.04 VPS hosted by bHost Limited 3 days ago.
They removed /var/www/ & my entire /opt/ directory.
Looking at bandwidth usage around that time was 100gb which is very heavy for my site.
There was 50gb of data stored on the server, so it's more than likely that they did take the information.
I didn't check SSH logs but the last user logged into the site was my IP.
Just thought I'd add some information to the thread.
Thanks!
Lawrence Abrams - 7 years ago
Thanks for the info. Did you reach out to the attacker yet? Have you determined how they gained access to the server?
Slethen - 7 years ago
Unfortunately I've reinstalled the VPS and now using ssh key authentication.
I have a hunch that they may of got in via a Wordpress flaw as I used a 13
character password with numbers letters and symbols for my ssh password.
And the only suspicious behaviour in my nginx access/error log was high volume xmlrpc.php calls from a US IP.
I probably won't reach out, at least not using my personal email address as I see that data as unrecoverable
Demonslay335 - 7 years ago
I'd recommend WordFence, it does a terrific job of locking down WordPress sites. It has a software firewall that helps block IP abuse and monitors for out-dated plugins and known exploits. There is a premium version with extra protection, but I use the free version on probably 20 sites, including some that were already "under the hacker's scope" when I got to them, not a single breach yet *knocks on wood*.
Mr.Tom - 7 years ago
I think the whole world is going to turn into one big ransomware soon.
Give us 3,000,000 bitcoins and you can have your planet back!
opera - 7 years ago
Is this the same?
http://news.softpedia.com/news/redis-servers-targeted-with-fake-ransomware-507811.shtml
Lawrence Abrams - 7 years ago
Yes, it is confirmed that the Redis hack is being used to install Fairware. Also it appears that these scumbags are deleting a victim's files but not saving them anywhere
I wrote an article about the redis hack here:
https://www.bleepingcomputer.com/news/security/hacked-redis-servers-being-used-to-install-the-fairware-ransomware-attack/
MIKEBATANS - 7 years ago
Please don't pay Any BTC. The Hackers only delete all files and backup..they don't copy your files in other servers. My server with Redis was hackered 2 weeks ago.. I transfered 4 BTC to hackers.. but I Lost all sites and backups.