Last week, a new kind of ransomware infecting Linux webservers was detected by Dr.Web, specifically targeting Magento webshops. Once the ransomware accessed a system, it would encrypt various default Magento folders, making them inaccessible to the user. Furthermore, a readme_for_decrypt.txt file was placed in each of these folders with a ransom demand, asking webshop owners to pay a certain sum in bitcoins (actually 1 bitcoin, around 290 EUR or 310 USD) to have the site restored.
Your personal files are encrypted! Encryption was produced using a unique public key RSA-2048 generated for this computer. To decrypt files you need to obtain the private key. The single copy of the private key, which will allow to decrypt the files, located on a secret server at the Internet. After that, nobody and never will be able to restore files... To obtain the private key and php script for this computer, which will automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD). Without this key, you will never be able to get your original files back.
Obviously it will be very easy to notice if you’ve been infected, but if you’re managing a large amount of webshops, the newly added check by MageReport might be useful.
According to Krebs On Security the ransomware abuses a security leak that has already been fixed by SUPEE-5344 which was released in February of this year. At the moment of writing it is unsure if the ransom has any other attack vectors.
If you have a backup of your system, the easiest solution would be to restore a backup from before the encryption. If you don’t have one, you’re lucky the hackers used a predictable encryption key. Bitdefender released a script to help you decrypt your encrypted files and folders. Since fixing this issue is rather complex, they kindly offer their assistance in the process.