Websites using the Magento platform have been hit by ransomware. Once infected, the sites are deemed unusable. The ransomware is called KimcilWare and encrypts webserver files. After encryption, it adds its index file on victim servers that can be viewed from the domain of the respective site. The extension .kimcilware can be seen all over that Index page.
For now, KimcilWare ransomware’s method of infection and its distribution are unknown. Although exploit kits are known to have attacked Magento sites in the past and certain vulnerabilities were found on the e-commerce platform, this is a new kind of attack.
Technical Details about KimcilWare Ransomware
As this is a fairly new ransomware that is expected yet to evolve, there is not much information about it. The things that are known will be outlaid below.
KimcilWare encrypts files on webservers. When the encryption is done, the ransomware adds its own index file on the infected server. An image is shown above. The extension .kimcilware is added to the encrypted files. About ten sites are reported to have fallen victim to the attack.
$140 are asked as ransom payment, as you can see from the ransom message:
Image Source: news.softpedia.com
A user on Magento’s official forums reports what the ransomware creates a file containing the full ransom note called README_FOR_UNLOCK.txt.
The file reads the following:
ALL YOUR WEBSERVER FILES HAS BEEN LOCKED
You must send me 1 BTC to unlock all your files.
Pay to This BTC Address: 1859TUJQ4QkdCTexMTUQYu52YEJC49uLV4
Contact firstname.lastname@example.org after you send me a BTC. Just inform me your website url and your Bitcoin Address.
I will check my Bitcoin if you realy send me a BTC I will give you the decryption package to unlock all your files.
Hope you enjoy 😉
Paying the ransom is NOT advised. Nobody can guarantee that your webserver files will get decrypted after payment. The money will go to the ransomware creators, and that could easily spiral into a new ransomware variant.
Prevent KimcilWare Ransomware from Infecting You
To prevent an infection from the KimcilWare ransomware, admins of Magento websites should make sure they have a strong password set for their accounts. Also, keeping Magento store versions updated as quickly as possible is sound advice. Having an anti-malware tool installed is always a good idea.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter