Fairware Attacks Targeting Linux Servers

Linux admins are reporting attacks against webservers resulting in the deletion of web folders, reportedly by attackers using a ransomware variant called Fairware.

Linux server admins are reporting attacks resulting in the disappearance of the server’s web folder and websites being down indefinitely.

Posts to the forums on the BleepingComputer website corroborate a number of such attacks, most likely intrusions powered by brute-force attacks against SSH, according to one of the victims. In each instance, the web folder is deleted and a read_me file is left behind containing a link to a Pastebin page hosting a ransom note. The note demands two Bitcoin in exchange for the safe return of the files.

Adding some confusion and anxiety around these attacks is that the criminals are saying they’ve infected the Linux server with malware called Fairware, which they are calling ransomware.

However, according to Lawrence Abrams of BleepingComputer, that may not necessarily be an accurate depiction of what’s happening.

“If the attacker uploads a program/script to perform the ‘attack’ then it would be [ransomware]. Unfortunately, our information is limited at this time,” Abrams said. “All reports indicate that the servers are being hacked, but I have not been able to verify these reports yet.”

The ransom note includes a Bitcoin address and gives victims two weeks to pay, otherwise, the note threatens the files will be leaked.

“We are the only ones in the world that can provide your files to you!” the note reads. “When your server was hacked, the files were encrypted and sent to a server we control!”

The note also provides an email address for “support,” but demands that the victims not ask for verification that the criminals are in possession of the lost files.

“I am not sure what they are doing with the files at this time,” Abrams said. “Since they delete the files, if they are keeping them, it makes more sense for them to archive them and upload it to a server rather that bother with encrypting them and then keeping track of individual keys.”

Rather than traditional ransomware where vulnerabilities on the machine are exploited, or the victim is tricked into executing a malicious file, no such evidence has been found in these attacks.

One of the victims who posted to BleepingComputer said that most of their Linux server remained intact, including database files. The read_me file, the post says, was left in the root folder. The deletion of the files and the refusal to answer verification requests are unusual behaviors for criminals who push ransomware.

“It definitely could be [a scam], but it would be a poor business decision for the attackers,” Abrams said. “When ransomware attackers don’t deliver on ransom payments, word gets out, and no one else pays in the future.”

Regardless, victims who see a purported ransomware attack and the threat to publish stolen data online might be nervous and inclined to pay the ransom. Fairware isn’t the first to make such a threat; last November, the Chimera ransomware also made threats to publish data online that was encrypted by the malware. Chimera, however, was limited to attacks against German companies. It, however, was indeed crypto-ransomware and behaved like many other ransomware families by encrypting locally stored data and data on shared network drives.

“Though all ransomware victims should avoid paying a ransom, if you do plan on paying, it is suggested you verify they have your files first,” Abrams said.

Suggested articles