In a time of non-stop news stories about ransomware, a new variant called FAIRWARE is attacking Linux-based servers running web sites.
First reported in a post on Bleeping Computer’s forum, victims believe that their machines have been brute-forced to gain access. Once on the server, the attackers purportedly encrypt and remove the contents of the web folder, deleting the original files and leaving a message that demands a ransom payment of two Bitcoins in return for the files. Of course, the removal of the contents of the www folder render the web server unusable, which would be a major issue for mission critical web applications. If the victim doesn’t pay the ransom within two weeks, victims are warned that they won’t get their files back and they may be leaked publicly.
It’s still unclear if the FAIRWARE ransomware developer actually removes the files before deleting or if it’s simply a ploy to get victims to pay a ransom. To date, no one has paid the ransom to the Bitcoin wallet defined in the note left behind, but with valuable data at risk, there will be a strong desire for a victim to try and recover the data by paying the ransom.
Although we have seen few forms of server-focused ransomware in the past (SAMSAM is a recent variant that leveraged a JBOSS vulnerability), FAIRWARE is a good reminder that there is no silver bullet when it comes to protecting your organization from ransomware. While the majority of attacks are focused on the end user, your servers run your mission critical applications and store sensitive enterprise data, and need to be protected as a part of a layered security strategy.
An effective server security solution, such as Trend Micro Deep Security, can protect your servers across the hybrid cloud from attack with a wide range of security controls, including helping with:
- Early detection of an attack, including brute force like used by FAIRWARE and lateral movement from server to server, enabling immediate action to be taken to minimize the potential impact.
- Shielding your servers from attacks (like SAMSAM) that leverage a vulnerability to gain a foothold on the server.
- Protecting enterprise file servers—which house large volumes of valuable corporate data—from attack via a compromised end user, alerting administrators and stopping suspicious activity in its tracks.
As a part of our commitment to helping our customers with the challenges of ransomware, we’ve put together some useful advice and tools based on our extensive experience with this type of threat. You can also listen in to an insightful Webinar from experts that will provide you with practical advice on what you should be doing to protect your organization.