Hackers Attack Websites with Ransomware – April 2018

SonicWALL Threat Research Labs recently received reports of attackers targeting websites with ransomware. Attackers are uploading malicious PHP files onto the websites. These PHP files allow the attacker to encrypt the website’s files and then extort money from the site’s owner.Once uploaded, the attacker then connects to the ransomware via a web browser, as follows:The attacker can then submit a complex encryption key to encrypt the site’s content. This results to:

The malware overwrites the .htaccess file with the following contents:

#Bug7sec Team
DirectoryIndex shor7cut.php
ErrorDocument 404 /shor7cut.php

This redirects the website to the file shor7cut.php.

In addition, the ransomware traverses the directory searching for files to encrypt. The file contents are then encrypted using PHP’s mcrypt function. And then it is renamed with the .shor7cut extension name.

Once the malware is done encrypting, it sends an email to the attacker containing the encryption key used:

Once the site owner pays the ransom, the attacker then goes back to the ransomware PHP and choose the “DeInfection” option:

Entering the appropriate key, the ransomware then restores the files:

SonicWALL Threat Research Team has the following signature to protect their customers from this type of attack:

  • GAV 17970: Ronggolawe.RSM
  • WAF 1669: Ronggolawe.RSM



Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.