Analysis of Ronggolawe Ransomware and How to Block It

Analysis-of-Ronggolawe-Ransomware-and-How-to-Block-It

In the last few years ransomware attacks have been significantly on the rise. This infamous trend began by targeting end point users’ machines, such as personal desktop and laptops. Later, it evolved and broadened the attack surface to target mobile phones and servers.

Web Servers Not Immune to Ransomware Attacks

Web server ransomware is not new. In fact we witnessed first evidence of it back at 2015 and most recently in the well-known attack aimed at the South Korean web hosting company NAYANA. Unfortunately, today ransomware targeted at web servers is even more popular especially given the availability of open source malware easily found in public repositories such as GitHub. Most recently we have seen reports of a new web server ransomware called Ronggolawe, the code name for AwesomeWare ransomware (file name: AwesomeWare.php) (see Figure 1).

ronggolawe awesomeware - ransomware page - 1

Figure 1: AwesomeWare ransom page

This particular ransomware was uploaded to GitHub a year ago by the bug7sec group. This group also uploaded few more interesting pieces of code such as backdoor shells, a vulnerability scanner and a login bypass tool. According to their Facebook page they are “Business Consultants” from Jakarta, Indonesia. Since this ransomware is open source we can find it incorporated into other dubious projects either modified based on malicious intent or used as is[1].

AwesomeWare Attack Vector

With personal desktops or mobile phones ransomware is usually delivered via a phishing email containing a malicious link or attachment. However, with web servers this method is futile and attackers needed to adapt the attack vector in order to infect their target. There are numerous ways for an attacker to run malicious code on a web server, but two of the most common methods are malicious file upload (MFU) or remote code execution (RCE). Both are based on security vulnerabilities in the web server application code base or in a third party library it uses.

Looking at sites infected by AwesomeWare (using Google dork) we can see that most use popular CMS platforms like Magento, WordPress, Joomla, etc. These platforms are highly susceptible to web attacks that leverage RCE and MFU due to their support for third party extensions and wide popularity.

How AwesomeWare Works

Once the attacker gets the malicious code on the server it can be used to either encrypt or decrypt the files in the server (see Figure 2).

ronggolawe awesomeware - control panel - 2

Figure 2: AwesomeWare control panel

If the attacker chooses to infect and encrypt the server two things happen. First, AwesomeWare changes the “.htaccess” file to redirect users to a new file named “shor7cut.php” and generates the file which contains the ransom note with the attacker contact details (see Figure 3).

ronggolawe awesomeware - ransomware page generation - 3

Figure 3: .htaccess manipulation and ransom page generation (click to enlarge image)

Then AwesomeWare scans the application’s directories and encrypts the files in them using PHPs “mcrypt_encrypt” function creating a cipher text compatible with AES (Rijndael block size = 128).

ronggolawe awesomeware - encryption function - 4

Figure 4: AwesomeWare encryption function

After files are encrypted AwesomeWare changes their extension to “.shor7cut”.

ronggolawe awesomeware - file extension change - 5

Figure 5: File extension change

Attacks Blocked by Imperva Incapsula

Imperva Incapsula WAF detects and blocks a wide variety of malicious file uploads and remote code execution attacks. It contains both platform specific rules (e.g. for Magento, WordPress, Joomla, Apache Struts, etc.) which are highly accurate as well as more generic rules to catch zero day attacks and variations of known attacks.

Since the Incapsula WAF blocks such attacks out of the box (the Imperva SecureSphere WAF does as well) we looked two months back at Incapsula WAF data and noticed an unusual surge in malicious file upload attacks over the past few weeks (see Figure 6).

ronggolawe awesomeware - MLU attack trends - 6

Figure 6: Malicious File Upload (MFU) attacks trend (click to enlarge image).

Data from August shows that by using one of our generic rules, Imperva Incapsula WAF blocked 14,000 MFU attacks from over 2,800 unique source IPs and protected 1,800 applications from being infected (see Figure 7)

ronggolawe awesomeware - source IP hidden

Figure 7: Malicious File Upload (MFU) attackers’ IPs from Imperva Incapsula data – August 2017 (click to enlarge image).

Some of the attacks were trying to exploit a known vulnerability in the Magento Webforms module in order to upload suspicious PHP files:

  • BUG7SEC-TEAM/b4ngs4t.php
  • BUG7SEC-TEAM/jmbuts.php

Given the name of files, it’s not a leap to assume these attacks are connected to the aforementioned bug7sec group, the same group that authored the AwesomeWare ransomware.

To gather more information about the attacks we used our IP forensics system and detected that the attackers are using an automated tool (mostly cURL) to carry out the attacks from Google Cloud service. While searching the web we also found two tools (this and this) related to the bug7sec team exploiting Magento vulnerabilities including the Webforms module.

Additional Resources

Ransomware attacks continue to grow and attackers are expanding into new territories and vectors to maximize profits. Web servers are not immune to such attacks particularly when open source ransomware is publicly available. Organizations would be wise to have a WAF solution in place to block ransomware attacks like these out of the box to keep web servers protected and intact. Access the resources below to learn more about ransomware and ransomware protection.

Deception-based Ransomware Protection: What It Is and Why You Need it

Insider’s Guide to Defeating Ransomware

Imperva Incapsula WAF and Imperva SecureSphere WAF

 

[1] https://github.com/alintamvanz/webshell