Ukrainian Energy Ministry Site Downed in Drupal Ransomware Attack

Unpatched CMS software installations appear to have been targeted by ransomware attackers over the past few days, taking down the Ukrainian energy ministry among others.

The widely reported attack on the ministry site is said to have been an isolated incident in that it didn’t affect any other parts of the Ukrainian government.

Although attacks in the past have been blamed on Moscow, there are signs that this raid was the work of cyber-criminals.

For one, the attack did not target the country’s critical infrastructure, unlike previous threats which have caused power outages for hundreds of thousands in December 2015 and 2016.

The ransomware message was also written in English and demanded just 0.1 Bitcoin ($927). The payment address used previously appears only to have received around £100.

Security researcher Kevin Beaumont named it as Vevolocker, a variant around since mid-2017.

“Somebody posted the source code online which is causing more people using it,” he tweeted.

However, AlienVault security researcher Chris Doman claimed the compromised site also includes the contact details and “tag-sign” of the hacker.

“What has probably happened here is that a hacktivist has hacked the site for fun, then the criminal ransomware attacker has used their backdoor to try and make some money,” he argued.

Other experts suggested the attacks were automated and targeted a critical vulnerability in the Drupal CMS software which was patched a month ago.

“While many people might be quick to cast blame on Russia for this incident, I believe this was probably not the case. Looking over the internet archive of this site, it appears that they were running Drupal 7 which is currently under active attack by automated attackers armed with Drupalgeddon2 exploits,” explained Tripwire researcher Craig Young.

“Drupalgeddon2 is a highly critical remote code execution bug affecting most Drupal sites which was disclosed at the end of March. It is also possible (although less likely) that someone is already exploiting CVE-2018-7602 which the Drupal team announced just yesterday but has yet to provide a public fix.”

He said the incident underscores the need for organizations to patch promptly and ensure they maintain up-to-date back-ups of their content.

What’s Hot on Infosecurity Magazine?