Website Ransomware Trending Now

Vertek’s security operations team has noticed website ransomware is starting to pick up steam with recent variants of AwesomeWare, a PHP based ransomware that targets vulnerable web servers and encrypts the web server files with Rijndael AES 128bit cipher. Infected hosts redirect all web traffic to the ransom note/defacement page requesting contact by email and/or payment via bitcoin wallet.

AwesomeWare

AwesomeWare was developed by Bug7Sec, an Indonesian threat actor, and placed on Github.com about a year ago (https://github.com/bug7sec/Ransomware). There are a few known variants of AwesomeWare going around right now, “EV”, “Shutdown57”, and “Crypt0saur”. Wordfence wrote a nice article on AwesomeWare / EV here: https://www.wordfence.com/blog/2017/08/ransomware-wordpress/. WordPress sites may be one of the most infected as they make up almost 20% of all websites on the internet (many with outdated plugins and vulnerable configurations), we couldn’t find anything in the code to indicate that wordpress was the specific target.  The targets at risk are any webservers where the adversary can obtain a root shell, upload files and/or escalate privileges.

EV Variant

EV replaces web server files with an encrypted copy that has the .ev extension and deletes the original. The ransom note is contained in ev.php and a .htaccess file redirects all links to that defacement page.

Although the ransom note claims that the files will be deleted once the timer reaches expiration, it doesn’t appear to be true. There is no code in the samples that we analyzed to support that. As you can see below the countdown is reset when the timer reaches 0.

EV is an abbreviation for Error Violence, it is an Indonesian hacking  site/forum where they host a tutorial for this attack calling it “Wannacrypt Ransomware for Website”: https://errorviolence.com/2017/05/18/wannacrypt-ransomware/.

Shutdown57 Variant

Shutdown57 is quite similar to EV, as it is closely based off the AwesomeWare code.  It encrypts with extension .shutdown57 and leaves a ransom note redirect  to shutdown.php.

Crypt0saur Variant

Crypt0suar is another variant of AwesomeWare created by “404”. “Crypt0saur” was recently unveiled in a youtube video for “educational purposes” on July 17, 2017 (https://www.youtube.com/watch?v=xbF7q-POFx8). Like other AwesomeWare variants, Crypt0suar encrypts files with Rijndael 128bit cipher, but uses extension .1337 and leaves a ransom note on the defacement page asur.php. All website URLs are redirected to asur.php via .htaccess file, again like other AwesomeWare variants. The crypt0saur source below appears to be quite different at first glance, but an analysis of the decoded PHP reveals several borrowed functions and methods from AwesomeWare.

Out of the three compromised websites that we were able to find, only one of them provided a live sample. The threat actor was “v1ru5” at greenvirus707@gmail[.]com, whom has also been using the shutdown57 variant.

How can you protect your organization’s website from being infected with ransomware?

• Take frequent backups and store them offline
• Keep up to date with security patches (OS, applications, and plugins)
• Follow security hardening guidelines on your web server configurations
• Implement a robust security monitoring solution that utilizes current threat indicators and continuous vulnerability scanning