The Ransomweb Ransomware is a file-locking Trojan whose campaign targets public websites and locks their contents. Unlike most Trojans of this type, this threat doesn't use true encryption, and its attack can be reversible for users who load an appropriate PHP script. However, all users still should back their work up for recovery from these attacks and let dedicated cyber-security services remove the Ransomweb Ransomware as they detect it.
The Ransomweb Ransomware: Ironically, Missing a Ransom
Trusting file-locker Trojans can lead to victims incorrectly identifying them, paying worthless ransoms and other problems. In the Ransomweb Ransomware's case, during a recent spree of defacing and locking public websites, the victims may assume that their data is more damaged than it is, in fact. Users who keep a clear head may recovery their work, even without a backup – which is exceedingly far from the norm in such cases.
The Ransomweb Ransomware's attacker is targeting insufficiently-secured websites, possibly through passive vulnerabilities or weak passwords. The Trojan plays the role of file-locker by blocking the website's files in a routine that's similar to, but different from, encryption critically. All attacks also append 'exploiter' extensions onto the files and leave a public-facing taunt message with ASCII art of the Indonesian coat of arms. There is no ransom demand or way of contacting the attacker, which sets the Ransomweb Ransomware apart from nearly all other file-locker Trojans, like the Dharma Ransomware.
However, malware researchers verify the Ransomweb Ransomware's not using true encryption. It uses a text-compressing function, gzdeflate, that has a corresponding 'reverse' inflation function: gzinflate. Any victims who run the appropriate inflation script can directly restore their website's files, which is all but impossible in more-traditional file-locking assaults.
Data Restoration without Hassle
Some Ransomweb Ransomware infections include a password-protected unlocking component, a PHP file. Users with the means of changing the password can access it and use it as a way of restoring their files. Otherwise, they also can run the script from their browsers.
Still, users should always have backups of their work. The majority of file-locking Trojans use secured locking mechanisms and delete local backups. A spare USB device or cloud service copy of one's website is a more assured way of recovering from a Trojan's vandalism or extortion.
Malware experts also recommend that website admins maintain rigorous version control for their site's software and infrastructure. Out-of-date blogging platforms are a powerful example of how attackers can target users who've done nothing actively wrong. Additionally, password security is crucial for all users with internet access.
Regardless of the recovery methods they take, users should contain any security threats first. Most anti-malware or anti-virus suites should remove the Ransomweb Ransomware from compromised systems.
The Ransomweb Ransomware is a preciously rare opportunity: a Trojan that leaves a door open to wind back time. Since most attackers are more dutiful about their Trojans' security, website admins shouldn't expect many samples like the Ransomweb Ransomware in the spotlight.