Important Security Update – Ransomware Attacks on Unpatched Sites

November 11, 2015

By: Piotr Kaminski,
Magento Security Team

We have received reports of Ransomware attacks on Magento sites that encrypted all the files on the server and asked for Bitcoins to unlock. To our best knowledge, the reports found the affected sites had malicious code (generic tool) installed under /skin. It’s possible the affected sites may not have been patched for Shoplift, or may have been patched recently (possibly without clearing already compromised files).

Magento merchants are strongly advised to follow BEST PRACTICES to ensure the security of their sites. If you suspect that your site may have been targeted:

  • Apply all patches to prevent unauthorized access, then check for and delete any admin accounts that are not recognized and authorized for system access. Please visit the Magento Security Center for a LIST OF PATCHES.

  • Review all files and admin accounts for compromised files

  • can also help detect this vulnerability in some cases

If compromised files are found:

  • Restore your site from backup and keep the site offline as you inspect the code for unknown files.

  • Clear infection (added admin accounts, any suspicious files like /skin/error.php and others)

  • Implement all available patches ASAP to close any exploitable vulnerability.

  • MageReport also had helpful tips on site recovery at:

For additional information on how to secure your site, visit: