The e-commerce platform provider has issued patches for Magento Commerce and removed an extension as a precaution to fend off content management system malware.

E-commerce platform provider Magento Commerce hopes incidents of locked files and bitcoin ransoms are over now that it has taken action to halt a malicious software attack on merchants whose websites run on Magento’s content management system.

The attack encrypted data on the vendor’s server with an extension called .kimcilware. Hackers inserted a file that locked access and referred the Magento customer to a demand for bitcoin digital currency to decrypt the file, according to a customer post on a Magento user forum last month. One Magento client received the following message: “ALL YOUR WEBSERVER FILES HAS BEEN LOCKED. You must send me 1 BTC to unlock all your file. … I will check my Bitcoin if you really send me a BTC I will give you the decryption package to unlock all your files. Hope you enjoy.” Online forums show the first known attack appeared Feb. 11.

Magento declines to confirm the dates of the attacks but says the company is aware of four retailer websites affected, though Magento declines to identify them. Magento removed a computer code extension believed to be the source of the attack, the company says. Magento Commerce is the e-commerce platform for 53 e-retailers in the newly released Internet Retailer 2016 Top 500 Guide and 131 online retailers in the 2015 Second 500.

“We removed that extension as a precaution and scanned for malware, but have found no evidence of malware,” the company’s statement says. Magento believes the attack is not specific to its software but may be a more general web server vulnerability. The company reminded its merchants to apply all available software patches for the version of Magento they are running, Magento says.

Magento is not alone. In October, online electronics retailer Newegg Inc. dealt with hackers who disrupted access to its e-commerce site, hoping to extort money in the form of bitcoin. Newegg resolved the attack and said it paid no ransom.


Security experts say complex systems with a great deal of flexibility, such as Magento’s open source platform and pre-built modules available on the Magento marketplace, can become an Achilles heel when it comes to cybercrime.

Software companies constantly balance customers’ desire for greater functionality and interoperability with the risks that those features might create some exposure, says Peter Tapling, chief revenue officer and former vice president of authentication software for Early Warning, a payments and risk management firm whose services include mobile number verification for retailers.

“Bad guys spend a lot of time working on exploiting flaws and it’s in their best interest to spend that time finding flaws in software that’s broadly deployed to give them a bigger attack surface,” Tapling says.

In September 2014, a security company discovered certain Magento e-commerce clients had installed modules that could open their websites to cybercriminal attack. In that case, companies that develop add-ons to Magento’s e-commerce software had created the modules containing compromised or phony extensions, according to information security firm Foregnix.

Raj Samani, Intel Security’s vice president and chief technical officer for Europe, Middle East and Africa, says KimcilWare ransoms appear to range from $140 to $410, often in U.S. dollars or bitcoin.


“These attacks represent a shift in ransomware,” Samani tells Internet Retailer. “Whereas in the past, attacks with ransomware were more broadly targeted, ransomware vectors like KimcilWare are more targeted toward enterprises and organizations.”