The KimcilWare Ransomware targets Magento Platforms

Security experts from the MalwareHunterTeam have spotted a news train of ransomware, called KimcilWare, specifically designed to target Web servers, and more specifically Magento e-commerce platforms.

“A new ransomware called KimcilWare has been discovered that appears to be targeting web sites using the Magento eCommerce solution.  It is currently unknown how these sites are being compromised, but victims will have their web site files encrypted using  a Rijndael block cipher and then ransomed for anywhere between $140 USD and $415 USD depending on the variant that infected them.  Unfortunately, at this time there is no way to decrypt the data for free.” states a blog post published on BleepingComputer.

The KimcilWare ransomware encrypts the files of the Magento platform, it is easy to recognize because it appends the “.kimcilware” extension at the end of each file. rendering the store useless.

“One script will encrypt all data on the web site and append the .kimcilware extension to all encrypted files.  It will also insert a index.html file that displays the ransom note shown above. The KimcilWare variant has a ransom amount of $140 USD. You can see an example of a folder encrypted with the KimcilWare script below. ” continues BleepingComputer.

The malware also uses its index file in order to publish a black page that informs the victims that the server had been encrypted.

“Webserver Encrypted” states the message on the home page “Your webserver files has been encrypted with a unix algorithm encryptor. You must paw 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at tuyuljahat@hotmail.com.”

Of course, the e-commerce becomes useless once the malware has encrypted all the files.

The bad news is that it is still unknown the infection process, but fortunately, the number of infections is still limited.

The KimcilWare ransomware was first reported on March 3 by the owner of a Magento store (version 1.9.1.0) on StackExchange. The administrator noticed that only one site on a server with multiple Magento instances was infected.

A second case was reported a few days later on Magento’s official forum, from a store owner running version 1.9.2.4. The Magento admin speculates a security issue affecting the Helios Vimeo Video Gallery extension.

Another ransomware having similar capabilities was discovered by the security researcher Jack (@Malwareforme). This second malware is called MireWare and uses the same tuyuljahat@hotmail.com email address in its ransom note included in the index page.

Jack noticed that MireWare is a variant of the Hidden Tear open source ransomware published by the Turkish security researchers Utku Sen for educational purposes.

The Hidden Tear was intentionally designed with security flaws and Bleeping Computer’s researchers Lawrence Abrams who analyzed MireWare confirmed that also this threat is currently broken due to the lack of a valid SSL certificate for its C&C server.

Experts believe that the KimcilWare ransomware is in its early stages, but that it might rapidly evolve.

If you administrate a Magento store update to the latest Magento store versions and use strong passwords for the admin accounts.

Pierluigi Paganini

(Security Affairs – KimcilWare ransomware, Magento)