Researchers Discover U.S. Government Site Hosting Malicious Ransomware

Earlier this week, security researchers discovered a United States government site was hosting a malicious downloader that, if interacted with, would result in visitors being infected by ransomware.

The presence of the ransomware was first discovered by researcher Ankit Anubhav of NewSky Security, who came across the downloader Wednesday. It is unclear how long the malicious file was present on the official government site before it was spotted or if anyone fell victim to the downloaded and installed the ransomware on their device.

The file, which was hosted on the National Wildfire Coordinating Group’s (NWCG) website, has since been removed, though it’s still troubling a site with an official .gov domain extension could play host to ransomware. Most .gov domains are whitelisted by security programs, meaning any download from the sites are generally trusted.

While the malicious link was still active on the site, it hosted a downloader for the Cerber ransomware. Like most ransomware attacks, Cerber encrypts files on an infected device and holds them hostage until the victim agrees to pay a ransom, which has to be paid in Bitcoin.

Cerber has been in circulation for more than a year and has been spread through a variety of different ways. A version of Cerber was sold as a ransomware-as-a-service attack that users could buy off dark web forums and launch at anyone. It has also appeared in spam campagins and botnet attacks.

It’s still not known how the Cerber downloader landed on the NWCG website, though the discovering researcher speculated that either the site was hacked or was included in an email sent to a government official and that email, along with the attached downloader, was archived and stored.

The latter seems to be more likely, given the full domain that hosted the linked includes references for “pipermail” and “attachments.” The malicious file itself is also labeled as ”attachment.zip,” suggesting it was included in some sort of correspondence.

That .zip file contained JavaScript that included a PowerShell command to download a file. While the PowerShell made it appear like the user was downloading a .gif file, it was actually obfuscating the fact it was downloading the Cerber executable file.

The Cerber download also comes from a known malicious domain, according to research from Mariano Palomo Villafranca, a malware analyst with Spanish telecommunications company Telefonica.

The researchers did point out similarities to the Blank Slate spam campaign which earlier this year was spreading Cerber. Emails in that campaign contained only a double-zip archive with the second containing either a malicious JavaScript file or a malicious Microsoft Word document. The emails contain no text, and experts believed then that all of this combined to evade detection.

Neither the National Wildfire Coordinating Group nor any other government body including the Department of Homeland Security have publicly commented on the incident or provided more information on the removal of the file.

Earlier this week, a security vulnerability was discovered on the Federal Communications Commission’s website that would allow anyone with an email address to upload a malicious file that would be hosted on the FCC’s .gov domain.