Menu
New ransomware threat deletes files from Linux web servers

New ransomware threat deletes files from Linux web servers

Attackers claim the files are first encrypted and uploaded to a server under their control

A destructive ransomware program deletes files from web servers and asks administrators for money to return them, though it's not clear if attackers can actually deliver on this promise.

Dubbed FairWare, the malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files. Another program called Linux.Encoder first appeared in November and encrypted files, but did so poorly, allowing researchers to create recovery tools.

After attackers hack a web server and deploy FairWare, the ransomware deletes the entire web folder and then asks for two bitcoins (around US$1,150) to restore them, Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post.

In the ransom note left on the server, attackers claim that before being deleted from the targeted server, the files were first encrypted and uploaded to another server under their control.

"We are the only ones in the world that can provide your files for you!" the ransom note reads. The payment must be made within two weeks, the note says.

There is no evidence yet that attackers actually have copies of the deleted files, so users should think twice before paying. The ransom note includes a contact email address but says questions like "can I see files first?" will be ignored.

Many server operators may decide not to pay because websites typically have backup routines in place. Many web hosting providers also include daily or weekly backups as part of their service.

Webmasters who run their own web servers should keep in mind that backups must be saved to an offsite location, not on the production server where they can be affected by a potential server compromise.

Even with backups available, a ransomware infection should be cause for concern and should prompt the server administrator to investigate the weakness that allowed the server incident to occur in the first place. Possible causes include vulnerabilities in the website or stolen administrative credentials.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.​

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments