Linux servers hit with FairWare ransomware – or is it just a scam?

Users posting on Bleeping Computer’s forums have alerted the world to a new threat targeting Linux server admins: the FairWare ransomware.

Whether the ransomware actually exists or not is still up for debate, as we only have the attackers’ claim that they are using it. It’s perfectly possible that they managed to compromise servers – apparently, through a brute-force SSH attack – and simply deleted the data they claim to have stolen.

Victims of the attack find their web folder deleted, and in its place a ransom note pointing them to an online paste.

There, they find the ransom note, saying that their server has been infected with “a ransomware variant called FAIRWARE,” that they have two weeks to send 2 Bitcoin to a specified address, and that they can contact the attackers via email, but should not expect to see proof that the attackers have the stolen files:

FairWare ransomware ransom note

This definitely adds to the suspicion that they might have simply deleted the files in question and, even if the victims pay, they might not get them back.

“Most ransomware developers dont just delete files as it would quickly be found out and noone would pay the ransom,” Bleeping Computer’s Lawrance Abrams noted.

“Its possible they gzipped the www folders, uploaded it, and then deleted it. Unfortunately, wont know unless you email them.”

So far, the attackers’ Bitcoin address has yet to show evidence of a ransom payment. This threat is very recent, and the two week payment deadline is still far off, so victims are likely still trying to discover whether paying the ransom will bring their files back and are looking for answers online.

UPDATE (September 1, 2016): A similar attack has been spotted by Duo Security researchers targeting Redis servers.

Don't miss