Recently I wrote about a supposedly new ransomware called Fairware that was targeting Linux servers. When a server was hacked by Faireware, it would delete various data folders and create a ransom note in the /root folder stating that the files were encrypted and that a victim needs to pay two bitcoins to get them back. Based on a new article by Duo Security, and confirmation from Fairware victims, it appears that this is just a scam and the attackers did not archive the folders before deleting them.
A new article was published today by Duo Security that details how they discovered insecure Redisinstances on the Internet that were being hacked to install a fake ransomware. After reading this article, I saw that there were striking similarities between the ransom notes that Duo Security described and the ones that were being created by the Fairware attacker.
For example, the Redis hacks were creating ransom notes at /root/READ_TO_DECRYPT that stated:
Hi, please view: http://termbin.com/um7t for further information in regards to your files
The FairWare attacks were creating ransom notes at /root/READ_ME.txt that stated:
Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!
Furthermore, though the wording was changed considerably in the linked to FairWare ransom notes, the language was very similar to the ones described in Duo Security’s article.
Connecting the dots between Redir and Fairware
According to Duo Security’s article, the hackers targeted insecure Redis servers and hacked them so that they installed their own SSH key. This allowed them to connect to and login to the hacked server.
The new key that was uploaded was called crackit and would contain the email address firstname.lastname@example.org. This key is:
crackit ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAA ABAQC6HyEUZtaiLH14RcYqlDFYFfEg0ad5QCdMk6DK HDx8nD0jAxX0xV/NeAGLz3IFFSYV87dpFn74aTs6F9Z7 gXfh+q76q4C9QPYRJkkTY2/7UUXhGRCuqzWYo7SNRV wUJZWcsLx34RG5de3LbZj5Q+IV4v4E0KuKNxF/0AL5h UEZEUW13EnIOFP1yllvGMrxJDFmsgLWt0idjfQMZXH5 iz1r/wQg73yBRY638C0ktHLsVnE71c3z/mOV2mGPZRZl7 y1CykS0n4gY4P5KwC8wZ24xRUAenOY+6JxczoduAtIseh 7HNWZ2EWG78myt8imQt6E3DCdpv7rxSxc9Qo3nnWEx email@example.com
Due to the similarities between this hack and Fairware, I contacted some of the victims to confirm if they were running Redis. I heard back from two of them who stated that they were running Redis and found that their authorized_keys file was changed to the exact crackit key shown in the Duo Security article. Furthermore, one of the Fairware attackers used the IP address of 18.104.22.168, which is the same one found in Duo Security’s list of attacker IP addresses.
This confirmed that the hacks described in the article and Fairware were one in the same.
Duo Security’s article also provides more insight into what actions the hackers perform once they gain access to the Redis server. Once logged in, they will issue the following commands, which have been modified for the Fairware attack:
rm -rf /var/www/ rm -rf /usr/share/nginx rm -rf /var/lib/mysql/ rm -rf /data/ echo "Hi, please view: http://termbin.com/um7t for further information in regards to your files" > /root/READ_TO_DECRYPT echo "Hi, please view: http://termbin.com/um7t for further information in regards to your file!" > /etc/motd
Duo Security went on to say that they saw no indication that the files were encrypted or even backed up anywhere before being deleted. Therefore, this appears to be a scam where the attackers are trying to scare you into paying the ransom, but will not be providing the deleted files.