Corporate Ransomware

Image credit: Blog Ransom Note Sitelock Blog

Last night we got another Reclaimer that was migrating over to us from Bluehost given their site was locked down at because their account reportedly had been hacked. I now understand all to well from the sysadmin side how an infected site can screw up a server. Our plan was to move the account and then do a full scan to quarantine any and all viruses and malware before pointing the DNS.  I ran the scan, and guess what, no viruses, no malware, nada. This person’s site was shutdown for an extended period by Bluehost and then referred to Sitelock because their account was reportedly infected.  Sitelock fixes the problem for a ransom of a fee, and they have to then pay for ongoing protection. It’s literally like the web hosting mob.

What’s more, the site was not infected. This is at least the third time we had a transfer request from a customer who had been referred to Sitelock by Bluehost that had no viruses we could find. How is this acceptable practice?  Is Bluehost cleaning the sites and then shutting down the customer accounts?  These people did not pay Sitelock so it wasn’t them. Something is rotten in Denmark, and I can’t help but think it boils down to one thing: fleecing your customers.  You can promise the world and charge pennies on the dollar because you know in the end you will be collecting those fees in other ways: backups, phony virus protection, etc. When it looks like a scam, and smells like a scam, chances are it is a scam. I just really don’t understand how Bluehost expects to remain relevant when their recent business development seems to be based around cannibalizing their existing clients. When you think about it, this is akin to corporate (a.k.a. legitimatized) ransomware, take down your client’s site, tell them it is infected, push them to make a deal with Sitelock, then sit back and collect your ongoing cut. Some folks have the wherewithal and time to export their stuff and get out, but for many, many others that is far too painful. They are effectively put between a rock and a hard place, like with many ransomware victims who don’t have backups, they are forced to fork out the money.

This entry was posted in reclaim and tagged , , , . Bookmark the permalink.

3 Responses to Corporate Ransomware

  1. Corporate filters catch lots of false positives. UCalgaryBlogs got knocked offline for almost 24 hours because the university’s consultants detected nefarious activity and had to pull the plug as an emergency response. What they’d seen was me, the admin of the server, uploading a .zip file through the admin interface. From a campus IP address that had repeatedly accessed the server over the last year. Good times.

    Shared hosting could be another bag of hurt though – another site on the same server could be infected, but the mafia is sent the IP address. ALL SITES AT THAT IP ADDRESS ARE INFECTED OH NO EMERGENCY BLOCK THEM ALL.

    No. Not how it works.

    Sigh. Sometimes the web is more hassle than it’s worth. Except there’s people in there…

    • almost forgot. the corporate IT consultants were hired in response to a major ransomware attack that took the entire university offline last summer. but their countermeasures mostly deal with other stuff that’s completely unrelated to how the russians got in. security theatre is fun.

  2. Tim Stahmer says:

    It’s not just Bluehost. I help a friend whose site is on HostGator and she gets ransomware notes from them on a regular basis. But when I check the files they claim are infected, there is nothing wrong. The only solution their “help” desk has is to sign up for Sitelock, and I’ve heard similar stories from others on HG.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.