Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FairWare Ransomware Help & Support (READ_ME.txt)


  • Please log in to reply
9 replies to this topic

#1 gonngetchu

gonngetchu

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 27 August 2016 - 03:27 PM

My linux machine was hacked (maybe brute force, maybe intercepted on airplane) with root access and the www directory was deleted.
 
There was a readme file in with a link to a pastebin where the ransom note was located.
 
The note stated, "YOUR SERVER HAS BEEN INFECTED BY FAIRWARE" and demanded 2 BTC "to retrieve your files and prevent them from being leaked!"
 
Has anyone heard of this FAIRWARE ransomware variant? There is nothing on the net about this one.  I'm wondering if the files were just deleted. I am skeptical that they would be downloaded and encrypted / stored remotely due to the bandwidth and storage requirements (there were a ton of video files in there), although the supposed penalty for non-payment is that the files will be "leaked."
 
Any input is appreciated.

BC AdBot (Login to Remove)

 


#2 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,978 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:49 AM

Posted 27 August 2016 - 03:43 PM

Definitely seems new. Do you happen to have the file which encrypted your data?

 

No ransomware has leaked data yet, so this would be the first. Usually it's just a scare tactic.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#3 gonngetchu

gonngetchu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 27 August 2016 - 03:53 PM

Might have it ...most of the server seems intact including DB files etc. Where would I look?

 

I don't need these files but would rather they not be leaked. Thanks xXToffeeXx.



#4 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,978 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:09:49 AM

Posted 27 August 2016 - 04:03 PM

I suggest checking the home directory or /tmp/.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#5 gonngetchu

gonngetchu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 29 August 2016 - 07:36 AM

nothing jumped out as suspicious but here are root and tmp directory listings.

 

/root

 

.bash_history
.bash_logout
.bash_profile
.bashrc
.cache
.composer
.config
.cshrc
.dbus
Desktop
.esd_auth
.forever
.freerdp
.gconf
.gconfd
.gnome2
.gnome2_private
.gnote
.gnupg
.gstreamer-0.10
.gtk-bookmarks
.gvfs
.ICEauthority
.icons
.kde
.local
.mozilla
.mysql_history
.nautilus
.node-gyp
.node-red
.npm
.pki
.pm2
.pulse
.pulse-cookie
READ_ME.txt
.rnd
.ssh
.tcshrc
.themes
.thumbnails
.viminfo
.vnc
.xautheXyB74
.Xauthority
.xauthyhiQ8R
.xsession-errors
.xsession-errors.old

 

 

 

/tmp

 

bitrock_installer.log
.esd-0
.esd-500
gnome-system-monitor.david.3061764366
gnome-system-monitor.root.359140809
.ICE-unix
keyring-0UvLv2
keyring-4cGonb
keyring-4wrmEd
keyring-6u2Wqm
keyring-95vA81
keyring-9hNhn7
keyring-BObkgD
keyring-d7GmIE
keyring-DB9PPr
keyring-eJlFSe
keyring-GgkOHE
keyring-hCOzqh
keyring-I9nTmc
keyring-IwS8Ma
keyring-lgQ4X5
keyring-lRINuA
keyring-MpkP8n
keyring-N6JHvx
keyring-OGbctU
keyring-q3r7mc
keyring-qnWe5n
keyring-qortQQ
keyring-qouKMl
keyring-rWMvES
keyring-sUbijV
keyring-T44XN3
keyring-V5Mtyi
keyring-yaLhjS
keyring-YqNDhd
keyring-Zq4Zlz
mongodb-27017.sock
mysql
orbit-gdm
orbit-root
pulse-MuHcuCyNnj4j
pulse-UbdAUBwKtkuO
pulse-xd6f8mXDeeai
ssh-XIsRNi4313
.vbox-david-ipc
.vbox-root-ipc
virtual-david.G1Ez0W
virtual-root.8szB9m
virtual-root.cxy5aO
virtual-root.IU57cG
virtual-root.rij3t0
virtual-root.ymv27w
virtual-root.YUzIbg
virtual-root.ZiUJDE
.X0-lock
.X11-unix
.X2-lock
yum_save_tx-2016-07-18-09-30rbcLzT.yumtx
yum_save_tx-2016-07-18-09-49K4ZfEq.yumtx
yum_save_tx-2016-07-18-09-54tnCwz_.yumtx
yum_save_tx-2016-07-18-10-03QgatwJ.yumtx
yum_save_tx-2016-07-18-10-04pdids9.yumtx
yum_save_tx-2016-07-31-15-08z7vgv7.yumtx
yum_save_tx-2016-08-15-10-23hZ_s26.yumtx



#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:49 AM

Posted 29 August 2016 - 08:42 AM

Can you upload the readme file to http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Also any other files in the same folder as the readme?

 

What is the exact name of the readme?



#7 gonngetchu

gonngetchu
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 29 August 2016 - 08:46 AM

READ_ME.txt   uploaded.

 

the file was in the /root directory (see above for listing).



#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,000 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:49 AM

Posted 29 August 2016 - 10:12 AM

Most ransomware developers don't just delete files as it would quickly be found out and no one would pay the ransom.
 
Its possible they archived the www folders, uploaded it, and then deleted it. Unfortunately, wont know unless you email them. May want to email fairware@sigaint.org and see if they can send you a file that was in your www folder as proof that they actually still have the files.
 
Even though they say they wont answer emails, I wouldn't trust them without verification.

#9 fairwarevictim

fairwarevictim

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 29 August 2016 - 02:07 PM

I also got attacked by this exact ransom ware recently.

I am in the process of figuring whether they actually have my data or not.

 

I found the note in two place:

- /root/

- log into user shellinabox

 

P/S: Through log file, I noticed that they used brute force SSH attack.


Edited by fairwarevictim, 29 August 2016 - 04:15 PM.


#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,777 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:49 AM

Posted 31 August 2016 - 08:02 PM

Grinler has released a new BC News artilce: New FairWare Ransomware targeting Linux Computers
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users