Cyber Incident Victim: International Council of E-Commerce Consultants

The EC-Council, a professional organization administering the Certified Ethical Hacker certification program, experienced a significant security breach beginning on or around March 14, 2016. For at least four days, one of its subdomains—hosting online training materials for security students—distributed TeslaCrypt ransomware via the Angler exploit kit. Security researchers at Fox IT detected the compromise on March 17 and promptly notified EC-Council officials, but received no response. By March 20, the infection remained active, prompting Fox IT to publicly disclose the incident. The attack selectively targeted visitors using Internet Explorer who arrived via search engines like Google or Bing, while excluding users from specific geographic regions based on IP addresses. Compromised browsers were redirected through a multi-stage chain of malicious domains designed to evade detection and analysis before delivering the Angler payload.

The Angler exploit kit leveraged vulnerabilities in the victim’s browser, Flash Player, or Silverlight plugins to deploy the Bedep loader, which subsequently downloaded TeslaCrypt ransomware. Forensic analysis indicated the compromise likely stemmed from a vulnerability in the WordPress content management system powering EC-Council’s website, potentially through outdated plugins. TeslaCrypt encrypted victims’ files and demanded a ransom of approximately 1.5 Bitcoin (equivalent to $622 at the time) for decryption. This incident occurred amid a broader wave of ransomware attacks, including a separate campaign targeting major publishers like *The New York Times* and the BBC via compromised ad networks just eight days prior. EC-Council’s delayed remediation left users exposed to drive-by infections for multiple days, undermining confidence in the organization’s security posture despite its role in certifying ethical hacking professionals.