KimcilWare Ransomware Attacks Magento Store

Do you have a Magento Store? If yes, then you have to be alert about the new threat “KimcilWare Ransomware” that is possibly dangerous for your store security. KimcilWare is a web-based ransomware that could theoretically infect any platform. It is still not clearly suspected its attack on other platforms like Android, Windows, and Mac, presently researchers are focusing on Magento shops.

This new threat KimcilWare appends .kimcilware extension at the end of each Magento store file, thereby making your store non-functioning. Additionally, an index file is also added to the server by this ransomware. It also prints a black page replacing the store homepage; reading a headline with “Webserver Encrypted” text in red color. This happens due to SSL connectivity issues.

It gives a ransom note of “Your webserver files has been encrypted with a UNIX algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”

Some Clue on Ransomware

Researchers added, “They found ten stores were getting this message so considers following topics to get some clue. First appears on a Magento Store running in 1.9.1.0 version happen to describe in StackExchangewhere it infected only one site running multiple Magento stores on a server and second is identified on Magento store running in 1.9.2.4 version as described in a Magento Official Forum<Helios Vimeo Video Gallery extension as infected.”

Currently, Magento has kept the Helios Vimeo Galley Extension for its observation.

How Ransomware Attacks?

In the following two cases, you can find out how this .kimcilware extension has affected the Magento store files.

The first script will encrypt your Magento store data files and append .kimcilware extension to all those encrypted files, adds an index.html file to display the ransom note as shown above.

This image is an example of the encrypted files from KimcilWare.

 

The second encryption will take place by appending .locked extension. Here, it creates a README_FOR_UNLOCK.txt in every folder which contains the ransom note as shown below.

ALL YOUR WEBSERVER FILES HAS BEEN LOCKED

You must send me 1 BTC to unlock all your files.
Pay to This BTC Address: 111111111111111111111111111111111
Contact tuyuljahat@hotmail.com after you send me a BTC. Just inform me your website URL and your Bitcoin Address.
I will check my Bitcoin if you really send me a BTC I will give you the decryption package to unlock all your files.

Hope you enjoy 😉

What Store Should Owners Do?

Magento Store owners should immediately update their store to latest Magento Store version and set a strong admin password for their admin account. Check Magento website to install the latest security patches.

Are you unaware of Magento Store insider security threat? Does your store attack by malware? Hire our Magento Support Experts who address all technical security issues and observe the cyber criminals activities to prevent your business loss. We do continuous monitoring of store so you can concentrate on your business. We ensure all latest security patches are installed on our client’s website. Our Support team becomes actionable as soon as when required.