Magento Malware News Alert – Kimcil Ransomware

The MalwareHunterTeam reported news of a new malware threat called “KimcilWare” that targets Magento ecommerce stores, though it is not 100% clear if only Magento is being targeted. They have no evidence of another platform being targeted thus far. This particular type of security threat is a relatively new phenomenon called Ransomware. KimcilWare encrypts all of the files on the target machine, appending the “.kimcilware” extension at the end of each file. It also adds its own index.html file to the server, replacing the homepage with a black page with the ransom note message, ”Webserver Encrypted. Your webserver files has been encrypted with a unix algorithm encryptor. You must pay 140$ to decrypt your webserver files. Payment via Bitcoin only. For more information contact me at [email address] KimcilWare Infected You”.

Webserver Encrypted

There is another script that appends the .locked extension to encrypted files, but rather than replacing the index.html with a ransom note, it creates a file called README_FOR_UNLOCK.txt in every folder with ransom instructions.

There is currently no confirmed information on how the servers are being hacked. Magento has not yet officially released a statement on this threat.

As always, 121ecommerce urges you to scan your Magento website for vulnerabilities. Run a scan on magereport.com to make sure your site is up to date on all security patches.

121eCommerce Website Security Tips

Admin Accounts – Never use the default login URLs, as they are easy to find and hack. Have your dev team change the admin panel URL to a custom login URL.

Account Passwords – Make sure all login passwords are at least 8 alphanumeric characters, including lowercase, uppercase letters and numbers.

FTP Access – Limit unsecured regular FTP access to a small group of directories. Use .htaccess and httpd.conf files to prevent scripts from running in these directories that can change any files and directories on the server that shouldn’t be accessible through those FTP accounts.

Restricted Admin Access – Restrict the admin access to approved IP addresses by blocking access to all IP addresses except specifically listed ones.

Full Site Backup – Having a full site backup and the code in a repository. This can be crucial in case of emergencies, so the site can be reverted back to a previous version.

As Magento urges you to fix any weaknesses you find that may leave you vulnerable to this malware right away. Share this post with your dev team immediately, so they may begin to take action to secure the safety of your website.

If you would like our assistance, contact 121ecommerce directly by calling us at (216)586-6656, or message us through our Contact Us form. We can help you identify any potential website security vulnerabilities.