

A new attack called FairWare Ransomware is targeting Linux users where the attackers hack a Linux server, delete the web folder, and then demand a ransom payment of two bitcoins to get their files back. In this attack, the attackers most likely do not encrypt the files, and if they do retain the files, they probably just upload it to a server under their control.

Victims have reported that they first learned about this attack when they discovered their web sites were down. When they logged into their Linux servers, they discovered that the web site folder had been removed and a note called READ_ME.txt was left in the /root/ folder. This note contains a link to a further ransom note on pastebin.

The content of the READ_ME.txt file is:

Hi, please view here: http://pastebin.com/raw/jtSjmJzS for information on how to obtain your files!

The ransom note on pastebin requests that the victim pay two bitcoins to the bitcoin address 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within two weeks to get their files back. They are also told that they can email fairware@sigaint.org with any questions.

The full content of the FairWare ransom note is:

YOUR SERVER HAS BEEN INFECTED BY FAIRWARE | YOUR SERVER HAS BEEN INFECTED BY FAIRWARE Hi, Your server has been infected by a ransomware variant called FAIRWARE. You must send 2 BTC to: 1DggzWksE2Y6DUX5GcNvHHCCDUGPde8WNL within 2 weeks from now to retrieve your files and prevent them from being leaked! We are the only ones in the world that can provide your files for you! When your server was hacked, the files were encrypted and sent to a server we control! You can e-mail fairware@sigaint.org for support, but please no stupid questions or time wasting! Only e-mail if you are prepared to pay or have sent payment! Questions such as: "can i see files first?" will be ignored. We are business people and treat customers well if you follow what we ask. FBI ADVISE FOR YOU TO PAY: https://www.tripwire.com/state-of-security/latest-security-news/ransomware-victims-should-just-pay-the-ransom-says-the-fbi/ HOW TO PAY: You can purchase BITCOINS from many exchanges such as: http://okcoin.com http://coinbase.com http://localbitcoins.com http://kraken.com When you have sent payment, please send e-mail to fairware@sigaint.org with: 1) SERVER IP ADDRESS 2) BTC TRANSACTION ID and we will then give you access to files, you can delete files from us when done Goodbye!

At this time it is unknown of the attacker actually retains the victim's files and will return them after ransom payment. Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first.

Update 9/1/16: It has been discovered that Fairware is being installed via hacked Redis servers. More information can be found here: Hacked Redis Servers being used to install the Fairware Ransomware Attack