Ransomware attack on Israeli users fails miserably due to coding error

Hackers failed to trigger the ransomware download due to a coding error but still managed to deface thousands of sites.

Ransomware remains a potent threat to businesses WannCry and NotPetya helped make 2017 the year of ransomware. But while there's been a shift towards cryptojacking attacks, file-encrypting malware is adapting and is still potent.

Hackers launched a failed cyber-attack on Saturday in an attempt to infect millions of Israeli users with ransomware.

The attack is believed to have been carried out by hackers operating out of Palestine, based on current evidence.

The incident took place on Saturday, March 2, when hackers successfully poisoned DNS records for Nagich, a web service that provides an accessibility (a11y) widget that's embedded on thousands of Israeli websites to provide access for persons with reading disabilities.

According to reports from Israeli cyber-security experts, hackers used the Nagich widget to automatically embed malicious code on thousands of Israeli websites.

The code would first and foremost deface the site with a message that read "#OpJerusalem, Jerusalem is the capital of Palestine," and then would initiate an automatic download for a Windows file named "flashplayer_install.exe," a file tainted with ransomware.

However, things didn't go as planned for the hackers. While the defacement message showed on thousands of web pages, including some of the biggest news sites in Israel, the file download did not start at all.

Researchers only spotted the code that was meant to trigger the file download while analyzing the defacement messages.

They said that a coding mistake prevented the auto-download operation from ever taking place. The mistake was that the malicious code would stop after the defacement, and not trigger the ransomware download if the OS version would be a string different from "Windows."

The error came from the fact that there is no user-agent string of "Windows" alone, as browser user-agent strings also include the Windows version number, such as "Windows XP" or "Windows 10."

This meant that the "if" statement always returned true, regardless of operating system, and the malicious code performed the defacement and then stopped, aborting the download on purpose.

According to an analysis by CyberArk, the file that was meant to download on users' systems was a non-descript ransomware strain that would have encrypted files if users ever ran it.

The Nagich attack lasted only a few hours on Saturday and the service regained access to its DNS records and stopped delivering the malicious code by the end of the day.

More ransomware coverage: