Security researchers have discovered new malware that is specifically designed to target Magento e-commerce platforms. It is called KimcilWare ransomware and though it’s currently in its early stages, the malware could evolve very fast.
“A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution. It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them. Unfortunately, at this time there is no way to decrypt the data for free.”
It is easy to recognize KimcilWare ransomware because it appends the “.kimcilware” extension at the end of each encrypted file of the Magento platform.
“One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files. It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD.
The malware also uses its index file in order to publish a black page that informs the victims that the server had been encrypted.
“Webserver Encrypted” states the message on the home page “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”
The worst thing in this case is that the infection process of KimcilWare ransomware is currently unknown, though, the number of infections is still limited.
KimcilWare ransomware was first reported on March 3 by the owner of a Magento store (version 1.9.1.0) on StackExchange. The administrator noticed that only one site on a server with multiple Magento instances was infected.
Another case of KimcilWare infection was reported a few days later on Magento’s official forum, from a store owner running version 1.9.2.4. The admin of Magento speculates a security issue affecting the Helios Video Gallery extension.
A bit later a security researcher found out another ransomware with similar to KimcilWare capabilities. This malware is named MireWare and it uses the same tuyuljahat@hotmail.com email address in its ransom note included in the index page.
According to the researchers, MireWare is a variant of the Hidden Tear open source ransomware, published by the security researchers Utku Sen for educational purposes. However, the threat is currently broken due to the lack of a valid SSL certificate for its C&C server.
