cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New

Ransomware attack shortly after SSL install - twice

My company purchased an SSL certificate for one of our servers a month ago.  Within a few days we were hacked by RansomWare.  Last week we purchased another SSL cert for a server with a different firewall, within 3 days we were hacked with a Ransomware Attack.  I tried to report this via contact us, but the wait times are very long right now.  This is very coincidental and should be looked at by GoDaddy.  It feels like the hackers found a way in using the SSL server info during the SSL renewal process.

5 REPLIES 5
Super User IV

@hr7777 

 

I am an end user - but I've never heard of RansomWare related to SSL Certificates.

 

A couple of thoughts / comments on this

1) what sort of server was affected by this - or was it a WordPress site that was compromised??

2) An SSL certificate creates an encrypted connection to the server, but is not a firewall / virus protection.

 

If these are servers on your network, I would venture to say that there is something compromised on your network.  This is beyond my level of IT knowledge that I deal with, but again just from what you are posting something seems off.

I am a GoDaddy End User - Just Like You
Check out my site! | I currently manage over 300 WordPress Websites
* Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community

I went back to check my purchase/install dates versus the attack.  Each attack occurred one day after purchasing/rekeying the SSL.  These are both windows servers that have been up and running for quite some time.  One 2008r2 has been up since 2010, the other came online 2013.  Never had an attack until these occurrences, and as i said, both happened one day following the purchase of the SSL cert.  It's too coincidental to not take a closer look.  I suggest that GoDaddy perform due diligence on this.  

 

I am an IT professional and have not heard of this either.  These hackers have perfected their craft.  If they could breach GoDaddy, a huge target, they could certainly gain server specific information from the rekey as well as the DNS settings.

 

One thing I have learned through attending a number of security symposiums is this.  There are two types of users, those that have been hacked and don't know it yet and those they have been hacked and know it. 

@hr7777 

 

This is 100% above my knowledge level as I focus on WordPress websites. That said - the saying about sites being hack I've heard before when it comes to websites.

 

I will flag this for the GoDaddy folks to take a look at -  as the community is not a support channel - I wouldn't expect a specific response from GoDaddy.

 

A couple of questions that comes to mind is if these were the first certificates you had on the servers or if they were replacements

Also are these servers configured similar, programs firewall, etc.

 

I wondering if there was something compromised on the server and just wasn't active and the installation of the SSL certificate triggered the activation. Which is why you saw this 1 day after the installation of the SSL on both servers

I am a GoDaddy End User - Just Like You
Check out my site! | I currently manage over 300 WordPress Websites
* Please note that I offer free advice on this forum. Thank You Info If you would like personalized help, please contact me. Otherwise, please ask your question in the proper forum so the answer can assist EVERYONE in the community and not just you. Thanks! *

Once your issue is resolved,
please be sure to come back and click accept for the solution

Get Better Support on the Community Boards!
Etiquette When Asking for Help from the Community

Community Manager

Thanks for reaching out @hr7777. It would be helpful to have a bit more information on exactly what occurred. I agree that the timing seems suspicious, but there's nothing inherently dangerous about the process of generating a new certificate on the GoDaddy side. The best course of action would be to have the server admin identify the root cause of the penetration. 

 

One way that this could have happened is if the private key for your certificate became exposed somehow. In order to rekey a certificate, you need to generate a CSR. During the CSR creation process, the server will usually save the private key in one of its directories. It's possible there was some form of malware already on the server that did not have the ability to give an attacker access, but could still monitor and transmit file information. If the malware was able to transmit your private key, that would be an explanation of the timing. 

 

Another place the key could have been compromised would be if there were any sort of malware on your computer or somehow embedded in your browser, perhaps via a plugin or extension. You likely copied and pasted your private key in to the GoDaddy website when rekeying your certificate. If there was malicious software attached to the browser or even your computer's clipboard, it could possibly intercept that data and transmit it. 

 

Those are just two scenarios, but there could be others. If you're able to determine a definite cause of what happened, feel free to follow up with more information and I can have our SSL team take a closer look. 

 

JesseW - GoDaddy | Community Manager | 24/7 support available at x.co/247support | Remember to choose a solution and give kudos.

Thank you for sharing @JesseW. We do run virus scans on the servers regularly and
while anything can happen, it didn't report to have any malware issues. I
checked out my laptop and had zero issues so not sure where to go from
there.



In case you were concerned that my intent was to blame GoDaddy and seek
restitution, that is not the case. It was so coincidental to have two
disparate servers running with their own firewalls have the same issue the
next night after the rekey process that I felt obligated to bring it to your
attention. This experience was painful and I'm still having to tweak things
that get reported. I just don't want anyone else to have this issue. My
intent was to warn you that you may have a problem. You likely have an army
of engineers that could run tests to ensure you are not exposed. I just
thought you would want to know and have the opportunity to use you vast
resources to ensure you are not causing this pain for any of your customers.



Kind regards,



Howard



Howard Rothman

President

Perfect Imaging, LLC



440-915-5949 - Cell