Security Advisory: Ransomware Infection Attempt via Malicious Website Interaction

Difenda has detected and responded to an incident in which an employee accessed a compromised website and inadvertently executed malicious code, leading to a ransomware infection attempt. This incident underscores the importance of vigilance when engaging with websites that may display unexpected prompts or request user actions outside standard browsing behavior.

Ransomware Infection Attempt via Malicious Website Interaction Technical Overview

Incident Details

1. Website Compromise: The employee reported that they frequently visit a trusted website, which was recently compromised. Despite the website owner’s attempt to resolve the issue, malicious code remained active.
2. Suspicious Prompt: When accessing the site, the employee encountered a pop-up window requesting them to verify they were human, using a simple checkbox without the traditional visual tests.
3. Execution of Malicious Code: Following the initial prompt, a second pop-up appeared with detailed instructions, including copying and executing a code snippet via the command line. The employee, rushing through tasks, followed the instructions.
4. Resulting Infection: Running the code led to an immediate ransomware infection on the laptop, though our endpoint protection effectively blocked all internet access, neutralizing the threat.

Technical Analysis

• Method of Infection: Social engineering via a compromised, trusted website, leveraging unusual prompts to encourage the execution of malicious code.
• Threat Vector: Command-line code execution that triggered a ransomware payload on the device.

What Our Threat Intelligence Team is Seeing

Difenda has observed a sophisticated, multi-stage incident on a corporate endpoint involving ransomware and indicators related to Storm-0300 activity. The incident began with an outbound connection to a known malicious IP and a connection to a suspicious URL, which triggered a sequence of concerning activities.

Following this connection, our systems detected and blocked a Wacatac malware file that was initiated by a PowerShell command. Defender successfully prevented Wacatac from executing, containing the infection at an early stage. Additional PowerShell command-line activity suggested further attempts at exploitation, confirming the sophisticated nature of this threat.

Through this activity, Difenda’s monitoring detected multiple stages in the attack chain, including:

• Initial access through a malicious URL linked to the observed IP address.
• Suspicious file creation and network connection events containing indicators associated with Storm-0300.
• PowerShell commands consistent with tactics used in ransomware and multi-stage malware attacks.

Microsoft Detections 

• Microsoft Defender for Endpoint:
  • Ransomware-linked emerging threat activity group detected

IOCs

• hxxp://traversecityspringbreak[.]com/
• hxxps://inspyrehomedesign[.]com
• Ray-verify[.]HTML
• cace794532ffc2a8275c86e4248ca38cf85dfb209d630e05e049d6fe2047ea2e
• 166[.]1[.]160[.]211

What We Suggest to Stop Ransomware Infection Attempt via Malicious Website Interaction

1. Exercise Caution with Website Prompts: Users should avoid interacting with unusual prompts or executing code from unverified sources, particularly when unexpected.
2. Enhance Awareness Training: Reinforce cybersecurity awareness with users, emphasizing the risks of executing commands outside of verified and secure applications.
3. Monitor Endpoints for Similar Attempts: Increase monitoring for attempts to execute unverified code via command line on endpoints.
4. Conduct Regular Phishing Simulations: Provide realistic simulations to train employees on recognizing and avoiding social engineering tactics.