Legitimate websites serving up ransomware

Next story

Heimdal Security have found that potentially 142 million legitimate websites could be delivering ransomware due to outdated content management systems or plugins.

This exploit specifically works with websites run using WordPress and according to Heimdal that could be “24.3% of all websites.”

The obviously worrying thing about this particular exploit is the much vaunted ‘trust factor’. These websites are perfectly legitimate and certainly aren’t the dodgy sites that common sense tells you to avoid.


How does it work?

Mark James, ESET IT security specialist, explains exactly how the exploit works.

“A malicious script injected on the targeted website references a domain that redirects traffic towards the commercial exploit kit Neutrino, which then tries to infect victim’s system with a ransomware Trojan.

“Once infected all of your important files both locally and shared on a network will be systematically encrypted and instructions will be given to enable you to purchase the decryption keys using bitcoins as a means to pay.

“During this process the ransomware will also delete windows files used to restore your files through system restore, at this point once encrypted your only option is to restore from backups.

“I know it may be the only option left for you to recover your files but please remember paying the ransom is ultimately just funding criminal activity.”

There is also no guarantee that you will even receive a decryption key: the cybercrims responsible might just cut and run.


What can you do?


The advice is the same as with most breaches, hacks, or exploits: keep everything updated and keep your wits about you at all times.

“Make sure your operating systems and applications including web browsers are fully updated and using the latest versions, you also need to ensure any plugins or extensions used in those browsers are also updating and up to date.

“If they are old or outdated then you should look for newer software that does the same thing that is being maintained, ensure you use a good updated Internet security product that includes anti-virus and be very careful when asked to click links or options when surfing the web.

“Not every pop-up box or question will tell the truth when they give you options, just because you click “no” it does not always mean no, if you think something seems wrong then close the browser as opposed to clicking “no” and then run a full scan with your Anti-Virus product.”


What should companies and organisations be doing?


The heart of the problem here is widespread use of outdated CMS’ or plugins on websites in the first place.

“The first thing any company should do that utilises their own web site is check all of their software to ensure its up to date, patching both applications and operating systems should be run on a weekly basis without fail.

“You cannot supply data or services to the public without keeping an eye on the means to offer those services, I appreciate we can’t protect against all vulnerabilities and exploits 100% of the time but there’s so many that can be protected just by updating your software.

There is no excuse for why it’s not being done, it’s not rocket science and it should not cost you any money to at least check.”

If it’s so simple then why isn’t it happening?

“Quite often it’s one of two reasons, either not knowing there’s an update available for the software they are using or just not getting around to it, there can’t be any other valid reasons, no one in their right mind would ignore updates that could cause so many problems for its users.

“Checking the installed version numbers against any available updated versions at worst will be a physical check within the application itself or at best an automated check or clickable option within the software itself, either way it must be done on a regular basis.”

Join the ESET UK LinkedIn Group and stay up to date with the blog. If you’re interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.

Have you ever been infected with ransomware?