New Website Ransomware Seen

hand handing over cash after device hacked with ransomware

There has been an interesting report about a website ransomware malware installed on a website, that resulted in the total loss of the website. Details are a bit sketchy, but apparently a hosting company that runs Linux Ubuntu servers had a customer that reported their website files were totally encrypted and a demand for 20 bitcoins (about $75,000.00) was demanded in order to obtain the decryption key.

What Is Ransomware?

You may have heard the term previously – it’s  when a computer or device (or in this case, a website) has had malware installed that encrypts or otherwise damages the file system or makes it inaccessible unless some terms – usually a demand for a large payment, are met. Different types of ransomware have been around for a long time – the first case being reported in 1989. It was carried out by an AIDS researcher who distributed thousands of floppy disk that contained a program that involved a questionnaire. The purpose of the questionnaire was to help people determine their risk of developing AIDS.

The disk  however also contained another malware program which was activated the 90th time the infected computer was turned on, and a message would appear on the screen, demanding funds. This malware was called the “AIDS Trojan” and you can read more about it here.

Today, these types of malware are much more sophisticated and along with bitcoin as the ransom payment, can make tracking the culprits difficult.

The Latest – Website Ransomware

As mentioned, a hosting company reported that one of their clients discovered that their website had been fully encrypted with a demand for a large payment. Apparently all the files of the website were encrypted with an extension of “.rontok” and nothing could be discovered about this extension. The script used to do the encryption was apparently named:

rF8v0KRh.php

In the forum where this was reported, others tried to be helpful but there was nothing much that could be ascertained. The script itself appeared to have somehow vanished and it appears that the website owner lost all of their website files unless they agreed to pay the “ransom” to have the site decrypted.

There is also no confirmation of the vector used to place the malicious encryption file in the website’s home directory although one of the readers and commentors assumes it was due to an insecure “CMS” (Content Management System, which almost all websites today are built on).

My Takeaway From This

There is no need for a website to fall into the hands of a malicious attacker using ransomware. I am personally puzzled how all of the website could have been destroyed in this case if indeed, the website used a CMS such as WordPress. While it would be possible for all the site’s files to be attacked, the actual data of all CMS applications resides in a database. Unless the script also affected the database data, it would be a fairly simple process (although possibly time consuming) to simply reinstall the CMS files along with images, and the site should be restored.

However, because there is not enough information, it is also possible that the encryption script also gained the credentials for the database and attacked that as well. But in the report that was made, there is no mention of this.

In addition, even if the entire website file and database were affected, restoring the website to a clean backup would have also solved the problem.

There is of course the issue of how the attacker gained access to the website directory in the first place and unfortunately, there is not enough information provided in the report to make any guesses as to how this occurred.

Keeping Yourself Safe From A Website Ransomware Attack

  1. The first most important thing to do is to make regular full backups of your website and store them. You should have several versions of backup stored – not just the most recent version. If the most recent version was backed up after the website was compromised, reinstalling or restoring from that backup will likely start your problems all over again. This is why having a single full backup of your site is not a guarantee of anything (and of course, the fact that sometimes a backup can fail and files can be corrupted. It is not much fun to discover that the only backup you have was corrupted during the process or during the file transfer to the device you are storing it on).
  2. Secondly, keep your website’s Content Management Systems up to date. It is possible that the attacker was able to use a security vulnerability in the CMS (or plugins) in a previous version because the site owner was not careful about ensuring security updates were applied. While you can have auto updates for many CMS applications including WordPress, we don’t recommend that for various reasons (see more here – Dangers Of WordPress Auto-Updates).
  3. Use strong passwords for your website hosting account. I cannot stress this enough. In my security career, it has never ceased to amaze me at the extremely insecure passwords that people will use. Often I have heard things like, “Why would anyone bother to attack my little website?” or “I just wanted something I could remember easily.” Look – the reason why someone would want to attack your website is because it is there! Why do people want to climb Mt. Everest? Because it is there! Just because you don’t think there is much value in your website does not mean an attacker sees it the same way.Besides, attackers often don’t target websites; they target vulnerabilities that they discover. While it is true that attackers, for possible large monetary gain, will attempt to breach corporations or other important organizations (think about the Ottawa hospital example), they also use systems that are just scanning random websites for vulnerabilities. Often, a malicious attack is not meant to do any visible damage to a website, but rather to gain access to a host in order to use it as a base to attack other hosts.
  4. Don’t use regular FTP. Many of you don’t even know what FTP is as it is not used as often today as it was but it is the “File Transfer Protocol” that was used to transfer files between devices and servers. It’s a protocol that was specifically designed to efficiently transfer large numbers of files but it would transmit usernames and passwords in plain text, giving anyone that could “sniff” the network access to your account. Instead of FTP, use sftp if you can, which encrypts all the data including your username and password.
  5. Protect your website by blocking bad bots and scanners that are looking for vulnerable files and insecure CMS and plugin versions. We published an article the other day on a way to do this:
    Bad Bots! Why Your Website Should Have Protection Against Them

Implementing all of the above is not an iron-clad guarantee that your website won’t become victimized by ransomware or some other malicious attack, but it will make things much more difficult for potential attackers of your website.

Enjoy The Internet. But Be Safe Out There!

(Source For This Article)

Leave a Comment