What is Ransomware?
Ransomware attacks have been one of the emerging cyber threats over the past few years. Ransomware is a type of malware that denies access to the computer system by systematically encrypting files on a system’s hard drive with a very strong encryption. A ransom is demanded, generally in the form of bitcoins, in exchange for an encryption key to unlock the files. Recently, a trend has been developing where websites have become victims of ransomware attacks as the website’s files and web pages are held for a ransom.
How does it attack Websites?
A malware is typically injected into a website by exploiting known vulnerabilities within the site’s plugins or third-party software or a web server configuration. Once on a host machine, the malware encrypts all the files in the “home” directory, including backup directories and most of the system folders typically associated with website files, images, code libraries and scripts. An example of such a ransomware is the website variant of CTB Locker that encrypts all the files on WordPress powered websites replacing index.php with a new index.php file that is used to encrypt the site’s data with EAS-256 bit encryption and displays a defaced home page with instructions to pay the ransom.
Many of the websites that fall victim of such an attack are possibly running versions of WordPress which are either out-of-date, poorly configured or are running plugins with known security vulnerabilities. A further technical detail of how the website variant of CTB Locker ransomware works can be found here. The risks are even higher in a shared hosting environment where the malware can spread to other websites that are hosted on the same web server through cross-contamination.
What are my options if my Website is Attacked?
While security software may be designed to detect such threats, it may not always be possible to detect new variants esp. if the signatures for new variant are unknown to the security software. Unfortunately, due to the nature of this threat, a means to decrypt files encrypted through this attack technique do not yet exist; meaning victims who do not have a backup must pay if they want their files restored. However, paying a ransom is not recommended as it does not guarantee that your website will reinstate to its original state and if the perpetrators will not come back. Also since it funds criminal activities, you are strongly advised against paying a ransom if at all possible.
What can I do to protect my Website against ransomware attacks?
There are measures you can take to protect your websites against ransomware attacks. These measures, if implemented, will greatly reduce the risk of successful attacks either by preventing the attacks from happening or by greatly reducing the damage caused if you are unfortunate enough to have your website compromised.
It is always recommended to keep the website software including third party plugins, modules and libraries patched up to date.
Restrict access to the admin panel interface from specific IP addresses only if possible.
Define password policies for your organisation. Use a complex password for admin panel login. Make use of two-factor authentication where possible.
Develop a backup strategy to take regular offline or remote backups. The website can be restored to its original state from a clean backup copy very quickly. You must also investigate the root cause of a compromise and take corrective measures to prevent this from happening again in future.
Always keep your test environment separate from the production environment i.e. do not have both these environments running on the same web server. Keep your attack surface to a minimum by removing any unwanted file or piece of software from the web server.
Install a web application firewall (WAF) or security plugins offered by various content management systems including WordPress and configure them appropriately. This is part of a defence-in-depth strategy and helps thwart most of these attacks.
If you are worried about your website being a target of this type of attack and not sure if you have the expertise in-house to protect against such threats, please contact us for further advise or help.Posted by Vishal Garg Posted on 14 Mar