A new ransomware virus has been reported to cause damage to web servers based on Linus. This virus, dubbed Fairware, does not use a direct encryption approach. Unlike other ransomware for web servers, the malware directly eliminates the web folder of the compromised server. Malware researchers believe that this threat is still at large, and it may make copies of the web folder on the C&C (Command and Control) servers of the people behind it.
The Fairware virus demands it’s victim to pay the sum of 2 BTC (Approximately 1200 US dollars).
Fairware Ransomware – More Information
According to victims’ reports, the deletion of the web folder resulted in their websites being down. Not only this but also a ransom note was left in the root folder of their Linux OS’s. The ransom note left behind does not directly notify users. Instead it has a URL web link that leads to it, along with a brief request to open it.
The file is named READ_ME.txt and it’s requesting is the following:
→“Hi, please view here: https://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!”
This URL has been checked, and it does not contain any viruses. However it has the following payment instructions to convert money into the crypto currency BitCoin and pay the 2 BTC ransom payoff requested by the crooks.
The instructions set by Fairware ransomware are the following:
→”YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE
Hi,
Your server has been infected by a ransomware variant called FAIRWARE.
You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks from now to retrieve your files and prevent them from being leaked!
We are the only ones in the world that can provide your files for you!
When your server was hacked, the files were encrypted and sent to a server we control!
You can e-mail fairware@sigaint.org for support, but please no stupid questions or time wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as:
“can I see files first?” will be ignored.
We are business people and treat customers well if you follow what we ask.
FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/
HOW TO PAY:
You can purchase BITCOINS from many exchanges such as:
https://okcoin.com
https://coinbase.com
https://localbitcoins.com
https://kraken.com
When you have sent payment, please send e-mail to fairware@sigaint.org with:
1) SERVER IP ADDRESS
2) BTC TRANSACTION ID
and we will then give you access to files; you can delete files from us when done
Goodbye!”
Obviously, from the ransom instructions above it is clear that the cyber-criminals’ one and only aim is to induce fear into the victims of the virus to pay the ransom. They even use the FBI as a pretext, claiming even the law advises paying the ransom. And if this is not convincing enough, users are also told that the files of their website will be publicly exposed which equals to a direct threat.
Fairware Virus – What Should I Do?
The virus gives two weeks deadline for payment. However, malware researchers strongly advise against paying any ransom money to cyber-criminals for several obvious reasons:
- The virus may have already permanently deleted your website folder.
- You pay money to support criminal activity.
Instead, website administrators are advised to clean their web server from this virus and seek any backups to recover their files.
At the moment, there does not seem to be a viable solution for this virus, but malware researchers and the law is working on catching the people responsible and hence releasing more information. We plan to keep updating this article with new information about the Fairware ransomware threat.
Ventsislav Krastev
Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.
Follow Me:
is based on Linus?
yes and it may attack apache servers as well
Hello Morgan,
The virus is genuinely created for Linux computers, but I am not sure what it’s source code is based on. It may primarily attack Linux PCs that have been configured to run as servers.