Date: Mon, 09 Nov 2015 20:23:57 -0500
From: mark <whitroth at 5-cent.us>
To: "gt-pfrc at ml.gt.org" <gt-pfrc at ml.gt.org>
CC: WSFA Official List <wsfa-forum at yahoogroups.com>,
 WSFA members <WSFAlist at keithlynch.net>,
 bsfsgeneral <bsfsgeneral at bsfs.org>
Subject: [WSFA] Ransomware Now Gunning for Your Web Sites
Reply-To: WSFA members <WSFAlist at KeithLynch.net>

Make *sure* you have *offline* backups....  This is not good.

Excerpt:
This latest criminal innovation, innocuously dubbed \223Linux.Encoder.1\224 by
Russian antivirus and security firm Dr.Web, targets sites powered by the Linux
operating system. The file currently has almost zero detection when
scrutinized by antivirus products at Google\222s Virustotal.com, a free tool for
scanning suspicious files against dozens of popular antivirus products.

Typically, the malware is injected into Web sites via known vulnerabilities in
site plugins or third-party software \227 such as shopping cart programs. Once on
a host machine, the malware will encrypt all of the files in the \223home\224
directories on the system, as well backup directories and most of the system
folders typically associated with Web site files, images, pages, code
libraries and scripts.
<...>
On Nov. 4, the Linux Website ramsomware infected a server used by professional
Web site designer Daniel Macadar. The ransom message was inside a plain text
file called \223instructions to decrypt\224 that was included in every file
directory with encrypted files:

\223To obtain the private key and php script for this computer, which will
automatically decrypt files, you need to pay 1 bitcoin(s) (~420 USD),\224 the
warning read. \223Without this key, you will never be able to get your original
files back.\224

Macadar said the malware struck a development Web server of his that also
hosted Web sites for a couple of longtime friends. Macadar was behind on
backing up the site and the server, and the attack had rendered those sites
unusable. He said he had little choice but to pay the ransom. But it took him
some time before he was able to figure out how to open and fund a Bitcoin account.

\223I didn\222t have any Bitcoins at that point, and I was never planning to do
anything with Bitcoin in my life,\224 he said.

According to Macadar, the instructions worked as described, and about three
hours later his server was fully decrypted. However, not everything worked the
way it should have.

\223There\222s a  decryption script that puts the data back, but somehow it ate some
characters in a few files, adding like a comma or an extra space or something
to the files,\224 he said.
--- end excerpt ---

<http://krebsonsecurity.com/2015/11/ransomware-now-gunning-for-your-web-sites/>

       mark