Wave of business websites hijacked to deliver crypto-ransomware

Share this…

Sites exploited by SoakSoak bots give the gift of CryptXXX malware.

If you’ve visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.

The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.


In this recent wave of compromises, SoakSoak planted code that redirects visitors to a website hosting the Neutrino Exploit Kit, a “commercial” malware dropping Web tool sold through underground marketplaces. The latest string of compromises appears to have begun in May. But since then, both the malware kit and the ransomware have been upgraded. The latest version of the exploit kit attempts to evade security software or virtual machines.

“Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler, or a Flash player debugging utility,” Pat Belcher of the endpoint security software vendor Invincea wrote in a blog post. “If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server.”

CryptXXX, like other crypto-ransomware variants, encrypts files and directs the victim to a Tor .onion website to pay for the key to unlock them. The malware attempts to mount every possible drive to search for files, looking for networked drives and external devices as well as local disks. It demands a steep ransom to get those files—in some cases, over $500 worth of Bitcoin.

Ars attempted to contact Dunlop and some of the other organizations with affected sites, but we received no replies. We will update this story with their responses as they become available. Even as those organizations try to regain control of their websites, others are likely to be rapidly compromised because of the vast number of sites that are behind on patching site add-ons like WordPress plugins.