In the season 2 premier of Mr. Robot, Evil Corp is hacked again. This time all of Evil Corp’s machines are compromised and locked up with ransomware. Evil Corp must either pay up or risk losing all of their files and going dark for an extended period, losing tens of millions of dollars a day. If Hollywood is a reflection of our collective anxiety, they nailed it with ransomware.
While ransomware started out targeting individuals, it has become the attack tool du jour against businesses. For instance, high-profile ransomware infections brought down Hollywood Presbyterian Medical Center as well as the Medstar hospitals.
Now we are seeing business websites being compromised to deliver ransomware to anyone who visits their site. A recent example of a big-brand corporate site is below. If you had visited the websites shown in this post when they were being exploited you would be hit by ransomware, unless of course you are sure you are protected against ransomware with Invincea (in which case go right ahead).
Websites are often compromised by botnets that scan websites for vulnerable software or application plugins. The most popular and vulnerable slideshow plugin is Revslider according to Securi.net’s 1Q 2016 report. Once a botnet identifies a vulnerable server, it compromises it by adding redirection scripts so that visitors are sent to an alternate site hosting an exploit kit to deliver the ransomware to the unwitting victim. The infographic below shows the process.
Below is a detailed look at the forensics delivered by a ransomware attack on a site that sells consumer goods.
Figure 2: Details of logs showing EK URL, check for security tools and CMD shell access
Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler or a Flash player debugging utility. If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server.
The site referenced above is far from being the only company website that redirects customers to exploit kits. Check out the gallery of compromised websites at this Storify. Websites compromised in this manner include home builders, recruiters, a water utility, a tourism site, and even a computer security company.
How do these web servers become infected to redirect to Exploit Kits? A botnet called SoakSoak or most recently, RealStatistics is likely to blame. In December of 2014, over 100,000 WordPress self-hosted websites using the Revslider plugin were compromised in a single day. Since then, automated attacks similar to SoakSoak continue to target Revslider and other popular plugins that give the attacker the ability to append scripts to web pages to redirect victims to Exploit Kits. Take a look at any website’s W3C log files and you will likely see automated scripts that attack WordPress and other popular plugins.
Figure 3: Automated web attack scan against a website.
Attackers have automated the cycle of compromising legitimate websites to victimize unwitting visitors with ransomware using botnets and exploit kits, and of course vulnerable software. Botnets like SoakSoak are constantly scanning websites for vulnerabilities they can exploit to host redirection scripts.
In many cases it’s only a matter of days before a new website is scanned by the bad guys for vulnerabilities, and by this report up to 30,000 sites a day are hacked. If you are a website operator, keep your content management system updated and patched. If you have old plugins or themes that are no longer in use, remove them from the system completely. Monitor your access logs and use your website’s firewall or .htaccess file to block addresses of automated scanners. There are additional security related plugins that do a great job at preventing brute force password guessing, or can recognize automated scripted attacks and block them in real time.
If you want to be protected against ransomware delivered from legitimate websites you need better endpoint protection. X by Invincea prevents ransomware (even unknown ransomware and other malware infections), before it even has a chance to infect your endpoints.