“At this time it is unknown if the attacker actually retains the victim's files and will return them after a ransom payment. Though all ransomware victims should avoid paying a ransom if you do plan on paying, it is suggested you verify they have your files first,” wrote Bleeping Computer's Lawrence Abrams.
The ransom note requests that the victim pays two bitcoins within two weeks to get their files back. They are also very helpfully told that they could email firstname.lastname@example.org with any questions.
Ransomware/malware for Linux is not common. This attack is aimed fairly and squarely at the Web hosting community as the majority of Web pages are hosted on Linux servers.
This is the first ransomware that “permanently” deletes files and is understood to look for backup files on the server too. It presumably uploads them to the C&C server. On payment, the files are simply copied back.
It is not yet known how the breach occurs. All reports have stated they use well-patched systems, and one even used a 13 mixed alpha/numeric/symbol password. It is possible that it gets in via a content management system (CMS) vulnerability and Wordpress has been mentioned. Vulnerabilities in CMS systems are a whole other issue.