1_backup-disaster_story

If you host a website on a Linux server, you might want to watch out for the new FairWare ransomware. Not much is known about this ransomware yet, but it targets Linux web servers, deletes the web folder on the server and leaves a read_me.txt file which demands payment of 2 bitcoins as ransom to get the file back.

The contents of the READ_ME.txt file is:

Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!

The ransom note on pastebin requests that the victim pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back. They are also told that they can email fairware@sigaint.org with any questions.

The contents of the FairWare ransomware note is:

YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE

Hi,

Your server has been infected by a ransomware variant called FAIRWARE.
You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked!

We are the only ones in the world that can provide your files for you!
When your server was hacked, the files were encrypted and sent to a server we control!

You can e-mail fairware@sigaint.org for support, but please no stupid questions or time
wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as:
“can i see files first?” will be ignored.
We are business people and treat customers well if you follow what we ask.

FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/

HOW TO PAY:

You can purchase BITCOINS from many exchanges such as:

http://okcoin.com
http://coinbase.com
http://localbitcoins.com
http://kraken.com

When you have sent payment, please send e-mail to fairware@sigaint.org with:

1) SERVER IP ADDRESS
2) BTC TRANSACTION ID

and we will then give you access to files, you can delete files from us when done

Goodbye!

There isn’t more information about how this ransomware is spread, but it is possible that the attacker gains access by doing an SSH brute force attack to get the root password of the server. Since the FairWare ransomware is new, it is not known if paying the ransom will get your files back either.

If you have SSH enabled on your server, please use a strong public/private key combination and secure your private key with a strong password for optimal security!