KimcilWare Website Ransomware
Written by Tomas Meskauskas on
What is KimcilWare?
KimcilWare ransomware targets websites using the Magento e-commerce platform (currently, it is not confirmed whether KimcilWare infects other platforms). During encryption, this ransomware adds a .kimcilware to each file stored on the server. Furthermore, it creates an index.html file containing a ransom-demanding message.
The message states that files stored in the server have been decrypted. Victims are instructed to pay a $140 ransom in Bitcoins. To do so, victims must contact cyber criminals via an e-mail address provided ([email protected]). Research shows that there is another variant of KimcilWare using a different script to encrypt the files. This version adds a .locked file extension rather than the aforementioned .kimcilware. Furthermore, the second variant does not change index.html. Rather, it creates a README_FOR_UNLOCK.txt file, which also contains a message stating that the files have been encrypted. The ransom demanded by this variant is 1 Bitcoin (~$413.43). Unfortunately, there are no tools capable of restoring compromised data. Therefore, the only solution to this problem is to restore your files and data from a backup.
Screenshot of a message encouraging users to contact the developers of KimcilWare ransomware to decrypt their compromised data:
Research shows that ransomware-type viruses are often very similar. For instance, KimcilWare, Locky, CTB-Locker, Xorist, Vault, and Cerber also infiltrate systems and encrypt stored files. Unlike KimcilWare, however, most ransomware infections (including the ones listed ones here) are designed to target the Windows OS. There are two other major differences between these viruses - encryption type used and size of ransom. Paying the ransom does not guarantee that your files will be decrypted. In fact, cyber criminals often do not respond to victims even if payment is made. For this reason, you should never attempt to pay the ransom or contact cyber criminals. Ransomware is mostly distributed via trojans, fake software updates, malicious e-mail attachments, and peer to peer (P2P) networks. For this reason, you should keep all installed software up-to-date and use a legitimate anti-virus/anti-spyware suite. In addition, be cautious when downloading files/applications from third party sources and opening files sent from unrecognized and/or suspicious e-mails.
Message in README_FOR_UNLOCK.txt file:
ALL YOUR WEBSERVER FILES HAS BEEN LOCKED
You must send me 1 BTC to unlock all your files.
Pay to This BTC Address: 1859TUJQ4QkdCTexMTUQYu52YEJC49uLV4
Contact [email protected] after you send me a BTC. Just inform me your website url and your Bitcoin Address.
I will check my Bitcoin if you really send me a BTC I will give you the decryption package to unlock all your files.
Hope you enjoy ;)
Screenshot of an infected web server containing files with the .kimcilware extension: