Skip to content ↓ | Skip to navigation ↓

Just in time for the holiday shopping season, cybercriminals have developed a destructive new form of ransomware that targets the websites of online retailers.

According to independent security journalist Brian Krebs, fraudsters have been leveraging the malware – dubbed ‘Linux.Encoder.1’ – to essentially hold a site’s files, pages and images for ransom.

Retailer’s websites are scanned for common vulnerabilities in site plugins or third-party software, including shopping cart programs, Krebs explained. Cybercriminals then inject the malware into the websites to encrypt key files, images, pages, libraries and scripts, as well as their backups.

Finally, criminals behind these attacks will hold them hostage, asking website operators to pay a ransom in anonymous cryptocurrency, such as Bitcoin, to unlock the files.

“The ransomware problem is costly, hugely disruptive, and growing,” warned Krebs.

As of this writing, ‘Linux.Encoder.1’ still has a low detection rate of 30/55 when inspected by antivirus products at – a free tool for examining suspicious files against the most common antivirus products.

Craig Young, security researcher at Tripwire, says ransomware has proven to be very lucrative for cybercriminals, so it makes sense that these kinds of attacks are being aimed at online retailers.

“Many online businesses depend on holiday shopping revenue, and if they don’t have good security and backup plans and are victimized by ransomware, the impact can be devastating.”

For retailers expecting a spike in traffic from online shoppers this holiday season, Young identified the following five crucial steps online retailers should take to protect themselves from falling victim to such attacks.

1. Keep plug-in software, especially shopping carts and blogging components, up-to-date at all times.

As soon as a patch for a software vulnerability becomes available, cybercriminals have the information they need to start exploiting any systems that have not yet been updated.

2. Make sure Web servers are not the sole repository for the website’s source code, data and security certificates.

Keeping this content in a source code revision tracking system ensures that a Web server does not become a single point of failure. In the event of a ransomware attack, the owner does not risk losing the intellectual property contained in the website source code.

3. Regularly replicate data files and databases.

It’s much easier to restore the system on a fresh server using the duplicated files.

4. Minimize the software applications and services on production Web servers; it should not be used as a workstation.

Ideally, nothing should be stored in home directories except for basic configuration files. This limits the potential risk for data loss.

5. Consider an online service like Amazon Glacier and Iron Mountain, which provide the ability to back up important data and can be used to recover it in the event of catastrophic loss.

Alternately, the use of virtualized servers with snapshots taken at regular intervals minimizes the risk posed by cybercriminals to destroy key data.

Although there have been instances where ransomware victims do not gain access to their files even after paying the ransom, Young stresses it’s much more effective to protect your business against infections than to take action after an attack.

In the fourth quarter of 2014, Intel Security said it reviewed more than 250,000 new ransomware samples – a 155 percent increase from the previous quarter.

Furthermore, the Internet Crime Complaint Center (ICCC) said 2,275 ransomware complaints were submitted by businesses and individuals from June 1, 2014, to March 31, 2015 – totaling losses of more than $1.1 million.


This blog was co-authored by Eva Hanscom and Craig Young.

Title image courtesy of ShutterStock