• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Write for Us
  • Contact
  • Advertise
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Do Not Sell My Personal Information
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Magento websites at risk from KimcilWare ransomware

Updated on Mar 31, 2016 by Guest Authors

If you are running a website that uses the Magento solution, chances are you might be the next victim of a new breed of ransomware dubbed KimcilWare, which security researchers have spotted in the wild infecting several sites.

Since the malware has just been discovered, it would be hard to establish at the moment how the attackers have managed to break into the victimized websites and encrypted the files with the use of a block cipher called Rijndael. According to initial reports, the attackers are selling the decryption key for the ransomware at $415, equivalent to one Bitcoin. Other variants of the ransomware can be decrypted at a lower cost, as low as $140.

kimcilware-ransomware

KimcilWare was first seen as a broken Hidden Tear variant, presumably because of certain issues with the SSL connectivity of the attackers’ command and control server. The person responsible for the ransomware seems to be the same attacker behind another breach into a website infected with KimcilWare, as indicated by the ransom note, which contained the email address of the attacker.

Security researchers found some variations in the way the attacker infected the two victim sites with the ransomware, but the remarkable similarity was the email address of the attacker and the use of the Magento e-commerce platform in both websites.

Further investigation revealed that the attacker behind the KimcilWare ransomware had begun to attack the websites for more than a month now, dropping a script meant to lock out website owners by encrypting their site data. More than two types of script were used to encrypt those pieces of information, according to the researchers.

The first script will convert the files with the .kimcilware file extension to encrypt the data of the website, with the addition of an HTML file that shows the ransom note. The second script puts the .locked extension to the file that has been encrypted and displays a message containing the note for ransom, which reads that the victim must send one Bitcoin to the attacker in order to unlock the files. The Bitcoin address is included in the ransom note as well as the email address through which the victim is instructed to contact the attacker after the ransom amount has been paid.

It remains unclear how the attacker got hold of the servers being victimized, but it appears the Helios Vimeo Video Gallery extension has been exploited. Magento has yet to release a statement regarding the hacks.

Disclosure: As an Amazon Associate, I earn from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

Brigii Mini Vacuum Y120 Pro Review – Much More Useful than Expected

Keychron K4 Wireless Mechanical Keyboard Review – The Biggest & The Best?

GuraGear Chobe 2.0 Everyday Carry Bag Review

AuthenTrend AT.Wallet Fingerprint Cryptocurrency Wallet Review – The Coolest One You Can Buy

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Brigii Mini Vacuum Y120 Pro Review – Much More Useful than Expected
  • Samsung Galaxy S21 Ultra Model Number SM-G998* Differences
  • Samsung Galaxy S21+ 5G Model Number SM-G996* Differences
  • Samsung Galaxy S21 5G Model Number SM-G991* Differences

Copyright © 2021 · All Rights Reserved