Researchers from High-Tech Bridge have released research on cyber criminals are encrypting website databases and holding them for ransom with “RansomWeb”
More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.
In December 2014, High-Tech Bridge security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. The web application in question was pretty simple and small, but very important to the company’s business – the company could not afford to suspend it, neither to announce its compromise. Careful investigation that by High-Tech bridge revealed the following:
The researchers stated that they were sure that it was an individual example of a sophisticated APT targeting a specific company, however last week they faced another similar case. One of their customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.
- The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
- Only the most critical fields of the database tables were encrypted (probably not to impact web application performance much). All previously existing database records were encrypted accordingly.
- The Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
- During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
- On day X, hackers removed the key from the remote server. The Database became unusable, the website went out of service, and hackers demanded a ransom for the encryption key.