The Risk of an Unprotected Website: Ransomware Returns to Ukraine

In an echo of last month’s NotPetya ransomware attack, researchers at Ukraine’s ISSP Labs [PDF] recently found that a server belonging to the software developer Crystal Finance Millennium had been compromised and used to distribute malware, including ransomware.

“This could be an indicator of … massive cyber attack preparation before the National Holidays in Ukraine,” the researchers warned. Ukraine’s Independence Day is celebrated on August 24 and 25.

According to security researcher Bart Blaze, the malware present on the site included the downloader Smoke Loader, the Chthonic banking Trojan, and PSCrypt ransomware.

Because the first payment to the PSCrypt campaign’s Bitcoin address was made on August 15, Blaze notes that it’s reasonable to assume Crystal Finance Millennium’s website was compromised on or before that date, possibly on the 14th.

Ransomware Tactics

According to Blaze, PSCrypt demands approximately 115 Euros to regain access to encrypted files, and provides a detailed message explaining how to send bitcoins to the attackers.

It also lists a fake address in the U.S. for a nonexistent company called “Unlock files LLC.”

A recent SentinelOne analysis of ransomware attacks found that 51 percent of splash screens include some form of customer service, such as a FAQ or instructions on how to buy bitcoins. Three quarters of ransomware splash screens demand payment in bitcoins, with an average demand of 0.47 BTC (currently almost $2,000).

Over 50 percent percent of ransomware splash screens use a ticking clock device to give a sense of urgency, with deadlines ranging from 10 hours to over 96 hours.

“We know that psychology plays a significant part in cybercrime — what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims,” report authors Dr. Lee Hadlington said in a statement.

“With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims,” Hadlington added.

Leveraging Unprotected Sites

SiteLock president Neill Feather told eSecurity Planet by email that unprotected websites are an ideal tool for hackers to distribute malware. “Gaining access to a site’s Web server allows attackers to host malware to all visitors of the site rather than one victim at a time to maximize the scope of the attack and potential impact,” he said.

“With this in mind, it is imperative that organizations place an emphasis on website security and replace their reactive response plans with proactive measures, implementing comprehensive security tools to protect users and mitigate risk,” Feather added.

Recent SiteLock research [PDF] found that the average website experiences 22 cyber attacks per day, or more than 8,000 attacks per year.

Fully 73 percent of hacked websites are infected with backdoors, 39 percent are infected by shell programs, 21 percent are infected with spam content, 21 percent have traffic stolen, and 6 percent have resources stolen.

Chris Olson, CEO of The Media Trust, said by email that organizations almost always underestimate the complexity of securing a website. “Typically, businesses only monitor their own code, yet most consumer-facing sites adopt plug-ins and other third party content services — video or image hosting, social widgets, analytics, data management platforms, payment processing, etc. — whose code execution is not readily visible to IT and, therefore, outside of their control,” he said.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles