Hackers Attack Websites with Ransomware

August 29, 2017

SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website's files and then extort money from the site's owner.

Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:

The attacker can then submit a complex encryption key to encrypt the site's content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP's mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the "DeInfection" option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM