Ransomware Attacks and How They Affect Your Website

Cloudsine Team

30 May 2017

5 min read

Ransomware is an especially nasty attack that holds your data hostage until you pay the attacker a fee. This fee can be anywhere from $50 to several thousands of dollars. If you don’t pay, usually the attacker continues to increase the fee until you are forced to wipe your server’s hard drive and start over. Unless you have a backup, ransomware is an incredibly expensive malware to have on your server — both in terms of recovery time and lost data.

One of the biggest mistakes webmasters make is thinking that it will never happen to them. Ransomware is more popular with many attackers because it’s a malicious type of income rather than simply destroying data for pleasure. It’s simply a business for some attackers, so it’s well crafted and efficient.

Everyone is at risk of ransomware, so if you have any type of public-facing platform, you are included in the list of potential recipients. Take San Francisco public transportation, for instance. The attacker demanded $73,000 after taking down ticketing systems for the Municipal Transportation Agency. Numerous other attacks continue to happen mainly since 2016. Ransom prices vary such as $570 from a small church in Oregon or $17,000 from a local hospital in Hollywood, California.

There is even ransomware that targets specific platforms. We’re going to take a look at CTB-Locker, a ransomware application that targets WordPress platforms.

Brief look at the way CTB-Locker (and others) attacks a website

CTB-Locker (the website version) attacks WordPress sites specifically, so it’s not an executable file like other ransomware that runs on a desktop. CTB-Locker is a PHP program, so that means it’s designed to run on web servers that run PHP. This includes Linux and Windows servers that host WordPress sites. There is also a desktop version available, but we’ll discuss only the website version.

Instead of infecting a machine using a malicious download, the website version of CTB-Locker requires the attacker to hack the website. There are numerous ways an attacker can hack your website. It can be anywhere from you falling for a phishing scam through email to having poor security configured on your server. Some SQL injection vulnerabilities give an attacker the ability to get administrative control of your server.

One of the most common ways an attacker gains access to a WordPress site is from malicious plugins. Plugins that have backdoors or themes that have malicious code embedded are two common ways.

Once the attacker has access, he replaces the main WordPress file, index.php, with the CTB-coded file. With the new file installed, the attacker encrypts all of your data the next time index.php runs. This file runs every time your WordPress site loads in a browser, so the next time a user opens your site, the data is encrypted.

After the encryption takes place, the next time you see your site, the following message will display:

Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.

The following page displays instead of your website.

All data from images to video to simple text files are encrypted. This is a symmetric encryption method, which means the same key is used to encrypt and decrypt files. Pay the 0.4 bitcoins (equivalent to USD $1904) and you may or may not receive the decryption key.

If you decide to look at the index.php code, here is the encryption part of the PHP file.

The index.php file installed on the web server uses jQuery to communicate with the central server. This is how the attacker knows that your data is encrypted, and how you can get the key should you pay. One interesting feature installed with CTB-Locker is a chat system. You can even live chat with the attacker to find out what to do next.

What Can You Do to Avoid This Vulnerability?

Since the attacker needs access to your web server to upload the file, the biggest risk is malicious plugins. A malicious plugin could even be a legitimate developer that just created an unknown vulnerability in their code. There are plenty of developers that purposely create these backdoors, however.

A backdoor is a section of code that allows the attacker to gain access to your site. These security issues are common in free themes or plugins you download from untrusted sources. Some call these free themes “nulled” themes. A WordPress theme template costs anywhere between $20 and $100, so it’s better to legitimately buy your theme instead of using a cracked one.

Always keep your server software up-to-date including your WordPress platform. Every software developer deploys patches randomly to fix bugs and security issues. Always make sure your software is patched with the latest update.

Keeping software patched includes the operating system. If you have shared hosting, the hosting company is in charge of your server. The hosting company also patches the operating system if you use managed services. If you use any other type of service such as VPS or dedicated servers, you need to patch the operating system yourself.

One final suggestion is to add security tools to your WordPress site. WebOrion and WordFence are two security tools that help. WebOrion adds a layer of Web Application Firewall to block out malicious attacks, while Wordfence scans your site for issues and block malicious login attempts to your admin dashboard.

Always take frequent backups to avoid losing everything should you suddenly become the victim of ransomware. One way to completely neutralize the stress is having a backup for recovery. Keep these backups in the cloud, because many ransomware applications encrypt backups as well. Take these precautions and you can ensure your safety from ransomware.


Author: Jennifer Marsh
Editor: WebOrion Team