Will Websites Be the Next Target of Ransomware Attacks?

Recent research by Wordfence indicates that Wordpress might be the next big ransomware target. Wordfence found that certain Wordpress plugins exhibit malicious behaviour in the form of ransomware against the host website. Typically, these plugins will encrypt the data on the website, thereby rendering it non-functional, and then attempt to extort payment from the owner in order to decrypt the website.

An obvious concern arises as to how susceptible large corporate or enterprise websites are to similar attacks. It’s Wordpress today, which is more the domain of private blogs or small business sites, but how long before these attacks are adapted to target larger enterprise websites?

One advantage businesses may have is that the technical or security skill level of members of a typical corporate IT or security department is significantly higher than that of an average Wordpress user. Wordpress by its nature and design is easily extensible by many freely available and powerful marketplace plugins; however there is nothing to prevent an attacker embedding a malicious payload (in the form of ransomware toolkit) into a plugin. Most corporate or enterprise sites, on the other hand, will be bespoke software development projects written in one of the popular languages such as Java, Javascript and C#.

How Vulnerable Are Enterprises to Website Attacks?

So how vulnerable might these enterprise or corporate websites be to similar attacks? The typical attack vector would be for an attacker to embed a ransomware toolkit into a software package (a collection of useful functionality, often open source in nature) and then to use the standard distribution channels to distribute the malicious packages. Each of the dominant language ecosystems has a distribution channel for package deployment: Javascript uses NPM, Java uses Maven and .Net uses NuGet. These package management solutions tend to favour feature and function over security and are easily open to exploit. There has been recent research into relatively unsophisticated attacks on the NPM system where an attacker was able to use a ‘typosquat’ technique to deploy a malicious package with a similar name to a well-known package. A software developer could be easily tricked into installing a fake package into their website application and subsequently exposing their organisation to attack, quite possibly in the form of a ransomware attack. A cursory survey of other popular package management solutions (NuGet, Maven, Ruby Gems, etc) reveals that they may be vulnerable to similar attacks.

How Can You Protect Against These Types of Attacks?

Software developers are increasingly under pressure to deliver functionality and features as a competitive differentiator. But security professionals need to ensure that sufficient governance is enforced to prevent corporate websites falling vulnerable to ransomware attacks due to the careless inclusion of malicious components.

The first step in prevention is education and awareness. Security teams should help to raise awareness among developers of the possible risks, and encourage them to exercise greater caution when including components, perhaps by performing simple integrity checking using fingerprinting to verify authenticity. In addition, excellent technological solutions exist to detect and prevent the inclusion of malicious components. Software composition analysis assessments allows an organisation to perform an inventory of all components used within their organisation and thereby build a composite view of their risk due to third-party components. With this view, when a big vulnerability hits the news, teams can quickly identify which applications in their organization are vulnerable. Such software composition technology could also be utilised to assess components for signs of malicious intent, although a motivated attacker can use sophisticated obfuscation techniques to mask underlying intent.

The most effective mechanism of protection against malicious content is to prevent its inclusion in the first instance. In the most draconian manner, software developers can be barred from accessing public component repositories using firewall rules thereby guaranteeing no malicious (or otherwise) components are included. This is hardly a pragmatic approach as the software developers will now have to “re-invent the wheel” to deliver functionality.

A more realistic approach is to use technology in the form of a package manager (such as Artefactory or Nexus Sonatype) to enforce a security policy and allow developers to draw upon known, validated and approved software components whilst at the same time being prevented from including potentially malicious components from the wider internet. Think of this as a “firewall for software components.”

Learn more

Get more details on the risks of software components and how to use them securely in Components: Increasing Speed and Risk.

Originally an embedded systems developer working on military grade secure communications systems in South Africa, Colin has over 20 years of development and security expertise in the telecommunications, consumer, medical and financial service industries. His most recent experience has been as the technical expert leading a large scale application security programme in a large multinational investment bank. He was responsible for the deployment and operation of the Veracode service, and leading the remediation programme, and deploying a RASP solution within the organisation.