Popular Chinese restaurant chain serves up ransomware with hackers demanding nearly $700

Popular global Chinese restaurant chain Mr Chow's has been found serving up ransomware to its customers via its website. Security researchers said the restaurant chain, which boasts of numerous sites in London as well as across the US, was targeted by cybercriminals who hacked its website to infect customers with ransomware.

According to Malwarebytes, the hackers directly injected the restaurant's website with the pseudo Darkleech script, which in turn triggered the proliferate Neutrino exploit kit, infecting vulnerable systems with ransomware. Security researchers said the hack was a result of the restaurant using outdated CMS software, which is a common way by which cybercriminals breach such websites. In this case, a "vulnerable installation" of Drupal was observed.

"Ransomware authors have been adding new features to make it more robust or more 'user-friendly'. Below, we see a CAPTCHA users must enter in order to access their account page with further instructions, and even a 'Help Desk' section where you can ask the criminals some questions (or get some feelings off your chest)," Malwarebytes researchers said.

The help desk section read: "In case of any problem with payment or any other questions, please contact us via the contact form." The section also warned users that language support was only available for English and prompted those with insufficient "language proficiency" to "use Google Translate".

Additionally, unsuspecting customers visiting the site would be served up a whopping bill of 1.2 bitcoins, nearly $700 (£524). It is still uncertain as to the identity and location of the cybercriminals behind the ransomware attack. IBTimes UK has reached out to Malwarebytes for further details on the incident and will update this article if and when a response is received.

This is not the first time that cybercriminals have targeted high-profile culinary figures. In 2015, British celebrity chef Jamie Oliver's website was also compromised.

Update:

Malwarebytes lead malware intelligence analyst Jerome Segura told IBTimes UK that the restaurant chain is aware of their report but has not replied or engaged with them directly. At present, the restaurant is not believed to be still infecting unsuspecting customers with ransomware. However, according to Segura, "this could change if the website is not getting fixed properly".

Segura said that the identities of the hackers who compromised the restaurant's servers as well as the those behind the ransomware payload, are "not tied together", and are still unknown.

Commenting on the added help desk feature, which came with support only for the English language, Segura said language support may have little to do with the origins of the ransomware developers.

"We think they are more likely to be Eastern Europeans," he said. "The reason English is the only language is because it saves them the hassle of having to translate from other languages they do not know."