14 DAY TRIAL // At least three Linux server administrators have complained at the time of writing about a new ransomware variant called FairWare that targets web servers running Linux.
Users, who posted their quandary on a ransomware support thread on the Bleeping Computer forum and the Chinese V2EX Q&A site, said that somebody hacked their servers, removed their website root folders, and left a ransom note behind in the /root folder.
The ransom note (READ_ME.txt) contained only the following text: "Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!"
The PasteBin link includes a longer ransom note, with more details, asking the user to make a 2 Bitcoin (~$1,150) payment to a Bitcoin wallet, and also providing an email address to get in contact with the crook.
This may be an elaborate scam
Malware analyst and Bleeping Computer founder Lawrence Abrams says there is no evidence that FairWare encrypts the user's files. The crook may be just uploading the files to a server under his control and holding them for ransom.
He also warns that FairWare's author may also be deleting files for good and that users might get scammed after paying the ransom. In the crook's expanded ransom note, which is embedded in full below, the FairWare author says he will not answer any questions from victims or requests to prove he stole their files.
In spite of the crook's claim of not answering emails, users should attempt to get proof that their files still exist before paying the ransom.
At the time of writing, there are no payments in the Bitcoin wallet address listed in the ransom note.
YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE
Hi,
Your server has been infected by a ransomware variant called FAIRWARE.
You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked!
We are the only ones in the world that can provide your files for you!
When your server was hacked, the files were encrypted and sent to a server we control!
You can e-mail [email protected] for support, but please no stupid questions or time
wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as:
"can i see files first?" will be ignored.
We are business people and treat customers well if you follow what we ask.
FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/
HOW TO PAY:
You can purchase BITCOINS from many exchanges such as:
http://okcoin.com
http://coinbase.com
http://localbitcoins.com
http://kraken.com
When you have sent payment, please send e-mail to [email protected] with:
1) SERVER IP ADDRESS
2) BTC TRANSACTION ID
and we will then give you access to files, you can delete files from us when done
Goodbye!