KimcilWare Ransomware Found Targeting Magento Websites

KimcilWare, a new ransomware was discovered using at least two different scripts to target websites using Magento, a a popular e-commerce platform.

KimcilWare targets websites and encrypts files linked to Magento, and appends the “.kimcilware” extension at the end of each file, which then renders the file useless—then demands a ransom payment. In addition, KimcilWare adds its own index.html to the server, printing out a ransom note that reads “Webserver Encrypted” as a headline and then a message that says “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw[sic] 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me.” An email is also linked to a Windows ransomware called MireWare, which is based on Hidden Tear, a ransomware variant designed with encryption flaws to prevent abuse.

[READ: Ransomware code shared for “educational purposes”]  

Another variant of this ransomware appends “.locked” extension to encrypted files and demands a ransom payment of 1 Bitcoin ($415) for a decrypt key. Based on further findings, the ransomware uses a Rijndael block cipher to encrypt files, making it virtually impossible to decrypt the data for free.

As of now, there is no information regarding what method has been used to infect Magento servers, however, Magento has released a security update on Wednesday that includes a patch for cross-site scripting (XSS), code execution, brute force, insufficient data protection, and information disclosure issues. Magento also warned of a campaign that involves brute-forcing passwords to gain access to administration panels.