The KimcilWare Ransomware is an encryption ransomware Trojan that has recently been used to target Magento shops. The administrators of Magento have reported issues regarding the KimcilWare Ransomware, which is a variant of a typical encryption ransomware Trojan. Like other, similar threats, the KimcilWare Ransomware encrypts the victim's files and then demands payment of a ransom. The KimcilWare Ransomware will change the affected files' extension to the KimcilWare.
Table of Contents
The KimcilWare Ransomware is Attacking Magento Stores
The KimcilWare Ransomware targets the Magento store files specifically. The KimcilWare Ransomware also creates its own index file on the affected server, displaying a black page instead of the store's homepage. This index file displays a page with a ransom note replacing the store's homepage. The KimcilWare Ransomware index file uses the headline 'Webserver Encrypted' in a red text, and then continues with a typical ransom message that reads as follows:
"Your webserver files has been encrypted with a unix algorithm encryptor. You must pay 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at firstname.lastname@example.org."
Malware researchers have yet to determine the exact infection mechanism associated with the KimcilWare Ransomware. However, there are at least ten Magento stores and their mirrors that are displaying the KimcilWare Ransomware ransom note. There are several clues that may help malware researchers determine the origin of this rash of the KimcilWare Ransomware infections. The first sign of the KimcilWare Ransomware infections dates to March 3. A Magento store owner using the version 22.214.171.124 reported a KimcilWare Ransomware infection. A second case was reported on Magento's support forums a few days later. In the second case, the store owner was using the version 126.96.36.199 of this software. It is possible that the infection may have come from the Helios Vimeo Video Gallery extension, although this is yet to be determined.
The KimcilWare Ransomware is Connected to Hidden Tear, Another Open Source Ransomware
There is a second ransomware Trojan, MireWare that uses the same email address as the KimcilWare Ransomware for its ransom payments and contact. MireWare is a variant of Hidden Tear, a well-known open source ransomware Trojan. This gives some hope to the victims of the KimcilWare Ransomware infection. Hidden Tear is known to have flaws in its encryption algorithm, which may allow PC security researchers to find a way for computer users to recover their encrypted files.
Precautions and Measures to Take Regarding the KimcilWare Ransomware
The KimcilWare Ransomware is a Web-based ransomware Trojan. Although it has been used to target Magento stores, for now, the KimcilWare Ransomware can be used to carry out attacks on other platforms. Therefore, Magento store owners will need to secure their accounts and websites. PC security analysts strongly advise Magento store owners to ensure that their passwords for their administration accounts are strong. It is very important to update to the latest version of Magento store as soon as possible and install any available security patches to prevent the KimcilWare Ransomware attacks and other security intrusions. The KimcilWare Ransomware attacks are still at an early stage and that it is still too early to study this threat in detail. The KimcilWare Ransomware uses a Rijndael block cipher in its attack to make the victim's files inaccessible. Magento has reported that the Helios Vimeo Gallery extension has been removed as a precautionary measure against further KimcilWare Ransomware attacks.
The Danger Presented by Web-Based Encryption Ransomware
Website owners are advised to take additional steps to secure their files and websites. Infected websites can be used to spread threats and provide additional victims to threat creators. Even in the case of platforms like Magento, computer users must ensure that they take steps to provide their own security, rather than to rely entirely on the platform.