'RansomWeb' ransomware targets companies' databases

Posted by   Virus Bulletin on   Feb 2, 2015

Encryption first added as a patch, key only removed when all backups are encrypted.

Make backups, they said. Then you won't have to worry about ransomware, they said.

Ransomware has quickly become one of the most frustrating kinds of cyber attack. We all know that our devices could suddenly die, and if this leads to a loss of data because we didn't backup regularly, then we only have ourselves to blame.

But things are different when files on a fully functional device are encrypted by a group of cybercrminals and the lack of a backup means we can only decrypt them by paying a few hundred dollars to the cybercriminals. That is why we hear so many sad stories of people affected by the likes of CryptoLocker, Cryptowall and CTB-Locker.

  Source: Wikimedia Commons (CC BY-SA 3.0)

Researchers at Swiss security firm High-Tech Bridge have written about a new ransomware technique that targets businesses and that cannot simply be defeated by a proper backup policy.

Dubbed 'RansomWeb', the technique acts in two stages. In the first stage, the web application is 'patched' so that data is encrypted before it is stored in a database and decrypted when it is read from the database. When done well, this patch won't affect the functionality of the website.

In the second phase, the attacker removes the private encryption key from the web server and sends a note to the site owner, demanding a ransom. This phase usually takes place months after the first, by which time all the available backups will only contain encrypted data, which cannot be read without having access to the private key.

It is unclear how widespread RansomWeb is. High-Tech Bridge mentions at least two separate instances of the same kind of attack and there may be many more: businesses tend to be reluctant to report cybercrime. Speaking to Forbes, security consultant Brian Honan says he has worked with SMBs where ransomware was deployed in combination with the destruction of backups.

RansomWeb might not scale as well as normal ransomware, but given that many businesses use the same software for their web applications, and that vulnerabilities are regularly found in such software, it wouldn't be too difficult to target a fairly large number of businesses at once.

Making regular backups remains essential, but RansomWeb shows that backups are not enough: monitoring what happens on your server, and patching vulnerabilities as they are discovered, is just as important.

Posted on 02 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

VB2018 preview: Wipers in the wild

Today we preview the VB2018 paper by Saher Naumaan (BAE Systems Applied Intelligence) on the use of wipers in APT attacks.

VB2018 preview: IoT botnets

The VB2018 programme is packed with a wide range of security topics featuring speakers from all around the world. Today we preview two of them: one by Qihoo 360 researchers on tracking variants of Mirai and one by researchers from Bitdefender on the…

VB2018: last-minute talks announced

We are excited to announce the final additions to the VB2018 programme in the form of 10 'last-minute' papers covering up-to-the-minute research and hot topics and two more invited talks.

VB2018 preview: Since the hacking of Sony Pictures

At VB2018, AhnLab researcher Minseok Cha will look at activities of the Lazarus Group on the Korean peninsula going back as early as April 2011.

Book review: Click Here to Kill Everybody

Paul Baccas reviews Bruce Schneier's latest thought-provoking book, 'Click Here to Kill Everybody'.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.