You are currently viewing Ransomware attack on Israeli users fails miserably due to coding error

Ransomware attack on Israeli users fails miserably due to coding error

To prevent from becoming a ransomware victim, organizations need to protect their network now and prioritize resources. These attacks will only continue to grow, and no organization wants to be displayed by the media as being forced to pay a ransom. If you are forced to pay, customers can lose trust in your organization’s ability to secure their personal data and the company can see decreases in revenue and profit.

Be ready to respond to the hackers’ attacks and secure your valuable files with SkyFlok. 

In case of a ransomware attack, SkyFlok has a backup plan for its customers. With SkyFlok, you can recover in no time as we keep all previous versions of your files. Damage to the latest version due to a ransomware attack in your premises does not compromise the past versions.

Do not become a ransomware victim and keep the privacy of your and your client’s data with SkyFlok!

The incident took place on Saturday, March 2, when hackers successfully poisoned DNS records for Nagich, a web service that provides an accessibility (a11y) widget that’s embedded on thousands of Israeli websites to provide access for persons with reading disabilities.

According to reports from Israeli cyber-security experts, hackers used the Nagich widget to automatically embed malicious code on thousands of Israeli websites.

The code would first and foremost deface the site with a message that read “#OpJerusalem, Jerusalem is the capital of Palestine,” and then would initiate an automatic download for a Windows file named “flashplayer_install.exe,” a file tainted with ransomware.

However, things didn’t go as planned for the hackers. While the defacement message showed on thousands of web pages, including some of the biggest news sites in Israel, the file download did not start at all.

Researchers only spotted the code that was meant to trigger the file download while analyzing the defacement messages.

They said that a coding mistake prevented the auto-download operation from ever taking place. The mistake was that the malicious code would stop after the defacement, and not trigger the ransomware download if the OS version would be a string different from “Windows.”

The error came from the fact that there is no user-agent string of “Windows” alone, as browser user-agent strings also include the Windows version number, such as “Windows XP” or “Windows 10.”

This meant that the “if” statement always returned true, regardless of operating system, and the malicious code performed the defacement and then stopped, aborting the download on purpose.

According to an analysis by CyberArk, the file that was meant to download on users’ systems was a non-descript ransomware strain that would have encrypted files if users ever ran it.

The Nagich attack lasted only a few hours on Saturday and the service regained access to its DNS records and stopped delivering the malicious code by the end of the day.