August 29, 2016
A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, probably just upload it to a server under their control.
Victims have reported that they first learned about this attack when they discovered their web sites were down. When they logged into their Linux servers, they discovered that the web site folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contains a link to a further ransom note on pastebin.
The content of the READ_ME.txt file is:
Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!
The full content of the FairWare ransom note is:
YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE
Your server has been infected by a ransomware variant called FAIRWARE.
You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked!
We are the only ones in the world that can provide your files for you!
When your server was hacked, the files were encrypted and sent to a server we control!
wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as:
"can i see files first?" will be ignored.
We are business people and treat customers well if you follow what we ask.
HOW TO PAY:
You can purchase BITCOINS from many exchanges such as:
1) SERVER IP ADDRESS
2) BTC TRANSACTION ID
and we will then give you access to files, you can delete files from us when done
At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first.