KimcilWare targets websites using the Magento eCommerce platform. The exact method of compromise is currently unknown, but files located on the victimized web server are encrypted with Rijndael 256. Additional analysis reveals that KimCilWare opens up a backdoor into the server and allows attackers full control over the targeted website. This variant uses one of two scripts to encrypt the targeted files. One script changes the file extensions on all encrypted files to .kimcilware and the other script changes them to .locked. The first script demands a ransom of $140 USD and the second demands 1 Bitcoin.