The latest ransomware intrusion that targets Linux servers, dubbed “FairWare,” may be a classic server hack designed to bilk money from victims with no intent to return stolen files after payment in bitcoins is made.
Tech support site Bleeping Computer earlier this week reported the threat, based on server administrator comments on its forum. Other reports followed.
The attack targets a Linux server, deletes the Web folder, and then demands a ransom payment of two bitcoins for return of the stolen files, according to BleepingComputer owner Lawrence Abrams.
The attackers apparently do not encrypt the files but may upload them to a server under their control, he noted.
Ransomware or Hack?
Victims first learned about FairWare when they discovered their websites were down. When they logged onto their Linux servers, they discovered that the website folder had been removed. Victims found a note called READ_ME.txt left in the /root/ folder, according to accounts on the forum.
The note contains a link to a further ransom note on pastebin. The link connects to a note telling victims how to obtain their files.
The ransom note on pastebin directs victims to pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks. After paying up, victims were to send an email to [email protected] with the server IP address and BTC transaction ID.
The hackers then would provide the victims with access to their files and delete them from the hacker server.
“I am not sure this attack qualifies as ransomware,” observed Chenxi Wang, CSO at Twistlock.
“Even though a ransom demand was made, there is no evidence of an actual malware that infected a vulnerability on the host,” she told LinuxInsider. “This is really more of a classic hack as opposed to a malware-based attack.”
The FairWare attackers apparently tried to encourage victims to cooperate with their payment demands by including in their directions a link to FBI advice that victims should “just pay the ransom” if no other option existed and they needed access to their encrypted data.
The attackers also invited victims to email questions but warned against testing them with “stupid questions or time wasters,” according to the transcript of the note published on Bleeping Computers.
“Questions such as: ‘can i see files first?’ will be ignored. We are business people and treat customers well if you follow what we ask,” the note says.
Not much is known about FairWare — either how it spreads or what methods it employs to hack into servers. That makes it difficult to issue definitive advice on protecting against it.
“At this point, it appears that FairWare is being spread via a WordPress vulnerability, although other vectors are not out of the question,” Core Security System Engineer Bobby Kuzma told LinuxInsider.
The details about the server hacks are still sketchy, Twistlock’s Wang agreed. It appears to be a brute-force attack on SSH (Secure SHell).
“The only way to prevent that is to increase your SSH key length. If you are using 2,048-bit keys, you should consider upgrading to 8,192,” she said.
The sketchy details contribute to the notion that the “ransomware” label in this case is not accurate, said Chris Roberts, chief security architect at Acalvio.
“There’s a lot of talk on both the surface Web and on some of the DarkNet forums that it is nothing more than a scam that has been set up by a team with the hopes of gathering funds,” he told LinuxInsider.
No-Pay Strategy Supported
It appears that no money has been deposited into the digital wallet specified for ransom payments. It is possible that data has been taken, however, and it is also possible that the attackers will release it, Roberts said.
“As an aside, I do love the fact the ransomware chaps quoted the FBI in their letter. It’s awesome to basically cut that argument off at the pass: Standard user/company ‘the FBI will solve it’ has just been nixed,” he added.
Ransomware is a growing concern to enterprises on all levels.
“It’s important to first note that when dealing with ransomware, businesses should never pay the ransom,” said Omer Bitton, vice president for research at enSilo.
“Paying up motivates the threat actors to continue with the practice. Our advice: Stay vigilant for cyberthreats. Back up your data regularly. Share information on cyberattacks and best practices, and deploy technologies that can proactively protect against ransomware,” he told LinuxInsider.
“The costs of good backups are far less than paying a ransom,” Core Security’s Kuzma pointed out.
Who Is at Risk?
At this point, it looks like workstations, laptops and desktops are unaffected by FairWare. That might not be the case for computers that host a publicly accessible WordPress site, however, said Kuzma.
“This is interesting ransomware, since it appears to back up copies of the data offsite, then wipes it from the victim’s system — unlike the normal modus operandi of ransomware, which is to encrypt the data in place,” he said.
Likely targets appear to be Web hosters with websites on Linux systems, said Greg Scott, owner of Infrasupport Corporation.
That makes him a potential victim, since he hosts the website for an IT security educational book he authored on a Red Hat Fedora virtual machine.
The book, Bullseye Breach, is disguised as an international thriller about how Russian mobsters penetrate a large U.S. retailer named “Bullseye Stores” and steal millions of credit cards. In his fictional world, a few good guys come up with a way to fight back.
Potential attackers might want his book website to go offline — and in fact, somebody at a Russian IP Address did attack the site a few months ago, Scott said.
“I stopped it by blocking it at my firewall,” he said, noting that its only exposure to the Internet is incoming Web requests for that site.
FairWare targets mostly websites that are hosted on Linux servers. Unlike other ransomware, it It usually deletes the website content from the server instead of encrypting the files, which can be less problematic, according to Idan Levin, CTO of Hexadite.
“Most companies have a backup of their websites, so in most cases the victim can easily recover the website files if he was able to clean the ransomware from the server,” he told LinuxInsider. “Linux desktops will probably not be affected by this ransomware since they are not running any website servers.”
Keeping the servers current with software upgrades and security patches is critical. Although the FairWare infection methods remain a mystery, Levin suspects the attacker exploits server side vulnerabilities such as Shellshock or Heartbleed.
“So I would suggest that people make sure their websites software is up to date and that they have an updated backup of their files,” he said.
Placing an orchestration and automation solution into play also would be advisable, Levin added. That would make it possible to stop the ransomware in seconds, before any major damage could be done.