Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


“RansomWeb” the new attack vector which encrypts website databases

  • Please log in to reply
2 replies to this topic

#1 NickAu


    Bleepin' Fish Doctor

  • Moderator
  • 13,827 posts
  • Gender:Male
  • Location: Australia
  • Local time:03:43 AM

Posted 31 January 2015 - 04:30 PM

Researchers from High-Tech Bridge have released research on cyber criminals are encrypting website databases and holding them for ransom with “RansomWeb”
More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.
In December 2014, High-Tech Bridge security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. The web application in question was pretty simple and small, but very important to the company’s business – the company could not afford to suspend it, neither to announce its compromise. Careful investigation that by High-Tech bridge revealed the following:

  • The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
  • Only the most critical fields of the database tables were encrypted (probably not to impact web application performance much). All previously existing database records were encrypted accordingly.
  • The Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
  • During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
  • On day X, hackers removed the key from the remote server. The Database became unusable, the website went out of service, and hackers demanded a ransom for the encryption key.
The researchers stated that they were sure that it was an individual example of a sophisticated APT targeting a specific company, however last week they faced another similar case. One of their customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.






BC AdBot (Login to Remove)


#2 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,697 posts
  • Gender:Male
  • Local time:11:43 AM

Posted 31 January 2015 - 08:32 PM

Isn't there any way of detecting that data is being encrypted on a database? Some kind of monitoring process that would trigger an alert?

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,047 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 AM

Posted 31 January 2015 - 08:56 PM

Here is another write up which I posted in the MRT Forums yesterday.

RansomWeb: emerging website threat that may outshine DDoS, data theft and defacements?
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users