Attackers claim the files are first encrypted and uploaded to a server under their control A destructive ransomware program deletes files from web servers and asks administrators for money to return them, though it’s not clear if attackers can actually deliver on this promise.Dubbed FairWare, the malicious program is not the first ransomware threat to target Linux-based web servers but is the first to delete files. Another program called Linux.Encoder first appeared in November and encrypted files, but did so poorly, allowing researchers to create recovery tools.After attackers hack a web server and deploy FairWare, the ransomware deletes the entire web folder and then asks for two bitcoins (around US$1,150) to restore them, Lawrence Abrams, the founder of tech support forum BleepingComputer.com, said in a blog post.In the ransom note left on the server, attackers claim that before being deleted from the targeted server, the files were first encrypted and uploaded to another server under their control. “We are the only ones in the world that can provide your files for you!” the ransom note reads. The payment must be made within two weeks, the note says.There is no evidence yet that attackers actually have copies of the deleted files, so users should think twice before paying. The ransom note includes a contact email address but says questions like “can I see files first?” will be ignored. Many server operators may decide not to pay because websites typically have backup routines in place. Many web hosting providers also include daily or weekly backups as part of their service.Webmasters who run their own web servers should keep in mind that backups must be saved to an offsite location, not on the production server where they can be affected by a potential server compromise.Even with backups available, a ransomware infection should be cause for concern and should prompt the server administrator to investigate the weakness that allowed the server incident to occur in the first place. Possible causes include vulnerabilities in the website or stolen administrative credentials. Related content news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Vulnerabilities Security brandpost The advantages and risks of large language models in the cloud Understanding the pros and cons of LLMs in the cloud is a step closer to optimized efficiency—but be mindful of security concerns along the way. By Daniel Prizmant, Senior Principal Researcher at Palo Alto Networks Oct 03, 2023 5 mins Cloud Security news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Vulnerabilities news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe