A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution. Â It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using Â aÂ Rijndael block cipherÂ and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them. Â Unfortunately, at this time there is no way to decrypt the data for free.
KimcilWare was first spotted when aÂ security researcher going by the Twitter handlemalwareformeÂ had posted about a new Windows ransomware. This ransomware was a Hidden Tear variantÂ that was broken due to SSL connectivity issues with their Command & Control server. The ransom note, though, containedÂ the email addressÂ email@example.com, which security researcherÂ MalwareHunterTeamÂ discovered also appeared on a web site that appeared to be infected with a ransomware called KimcilWare.
Further research turned up two support requestsÂ where people were asking for help after discovering their server was encrypted. Â Though there were differences between these two cases, the one similarity was that both ransom notes contained theÂ firstname.lastname@example.org email address and both were web sites using the Magento platform.
After doing some research, it is apparent that thisÂ tuyuljahat actor has been hacking Magento servers for at least the past month and installing a script that encrypts the data on the web site. Â When attackingÂ the sites they they have usedÂ at least two different scripts to encrypt the data.
One script will encrypt all data on the web site and append the .kimcilwareÂ extension to all encrypted files. Â It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD.Â You can see an example of a folder encrypted with the KimcilWare script below.
The other script will append the .lockedÂ extension to encrypted files, but does notÂ replace the index.html with a ransom note. Instead it willÂ create a file calledÂ README_FOR_UNLOCK.txt in every folder, which contains the ransom instructions below.
ALL YOUR WEBSERVER FILES HAS BEEN LOCKED
You must send me 1 BTC to unlock all your files.
Pay to This BTC Address: 111111111111111111111111111111111
Contact email@example.com after you send me a BTC. Just inform me your website url and your Bitcoin Address.
I will check my Bitcoin if you realy send me a BTC I will give you the decryption package to unlock all your files.
Hope you enjoy đ
The ransom amount of the Locked version is 1 bitcoin or approximately $415 USD.
At this point there is no information on how the servers are being hacked, though one victim felt it was related to theÂ Helios Vimeo Video Gallery extension. This has not been confirmed.