New ransomware threat has been detected, this time targeting websites. Dubbed JapanLocker by researchers, the virus aims to display a “LockeD” message asking to contact the e-mail address [email protected] to unlock the website. This Ransomware is nothing new, but it shows that ransom viruses are spreading in multiple forms and the website locking kind is seeing more and more variants lately. Anyone who has been affected by JapanLocker should immediately notify all the users of the compromised website. It is not recommended to make any ransom payoffs at this point and to read the following article for more information on JapanLocker.
|Short Description||The ransomware performs an SQL Injection after which may lock the user out of his database and ask for ransom payment.|
|Symptoms||Files on the database may be encrypted and inaccessible. A ransom note appears on the website’s page.|
|Distribution Method||Targeted Attack|
|User Experience||Join our forum to Discuss JapanLocker Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
JapanLocker – How It Infects
Similar to “Drupal” Ransomware – another virus of the same type, the JapanLocker virus may use an SQL injection type of attack that is focused directly on attacking the main database of the targeted website. Since many website publishers use MySQL, this opens up an opportunity to cyber-criminals to perform an SQL attack via multiple ways, like using the language Python, for example.
But, before attackers infect a website, they must target it first, because on this is dependent the infection’s success. Hackers, who have experience in this field, which is most likely the case with JapanLocker probably use a specific type fo filtering of websites using special codes in Google. This set of techniques and commands is widely known as Google Dorking and it aims to display to the hackers different websites, based on their preferences, such as:
- Vulnerable plugins or other aspects of the site that can be exploited.
- Error notifications.
- Sensitive or secret files.
- Sites connected with multiple cloud-based devices.
- Sites that have Web Server info.
- Sites that have files with username and password lists.
- Files containing financial or other crucial information that is not properly secured.
As soon as hackers, like the ones (one) behind JapanLocker have designated several websites, the narrow the list down by sending requests to view the index of the website and look for vulnerabilities. They may also inject scripts that look for vulnerabilities in SQL and if those scripts return an SQL error, this indicates that the site can be attacked.
How JapanLocker Works
JapanLocker may contain automated scripts that lock different aspects of an SQL database, such as the program interfaces of a website controlling it’s front end. As soon as the files related to this are discovered by the ransomware, they may be encrypted or altered, and the virus may display it’s primary ransom message:
The data of an encrypted website’s primary web page which is displayed is also scrambled, and demonslay335 (Michael Gillespie) reports the following or similar scrambled data to appear as a home page after an infection by JapanLocker:
JapanLocker – What to Do If Infected
In case you have suffered an attack by JapanLocker ransomware, at this point, there is not much you can do. Whatever the case may be, you should assume that all the stored information in the database of the website may already be compromised and take the necessary precautions to notify anyone affected and change any credentials that may be existent on the database.
In case you have a server, it is very important to protect this server using a variety of tools and methods, like an advanced anti-malware software, a customized firewall, a cloud backup solution to avoid such attacks in the future and others similar.
It is also a recommended practice to have a reliable anti-malware tool if you are working on a compromised website, because the criminals may use the information on the compromised website to infect its users.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter