'RansomWeb' ransomware targets companies' databases

Posted by   Virus Bulletin on   Feb 2, 2015

Encryption first added as a patch, key only removed when all backups are encrypted.

Make backups, they said. Then you won't have to worry about ransomware, they said.

Ransomware has quickly become one of the most frustrating kinds of cyber attack. We all know that our devices could suddenly die, and if this leads to a loss of data because we didn't backup regularly, then we only have ourselves to blame.

But things are different when files on a fully functional device are encrypted by a group of cybercrminals and the lack of a backup means we can only decrypt them by paying a few hundred dollars to the cybercriminals. That is why we hear so many sad stories of people affected by the likes of CryptoLocker, Cryptowall and CTB-Locker.

  Source: Wikimedia Commons (CC BY-SA 3.0)

Researchers at Swiss security firm High-Tech Bridge have written about a new ransomware technique that targets businesses and that cannot simply be defeated by a proper backup policy.

Dubbed 'RansomWeb', the technique acts in two stages. In the first stage, the web application is 'patched' so that data is encrypted before it is stored in a database and decrypted when it is read from the database. When done well, this patch won't affect the functionality of the website.

In the second phase, the attacker removes the private encryption key from the web server and sends a note to the site owner, demanding a ransom. This phase usually takes place months after the first, by which time all the available backups will only contain encrypted data, which cannot be read without having access to the private key.

It is unclear how widespread RansomWeb is. High-Tech Bridge mentions at least two separate instances of the same kind of attack and there may be many more: businesses tend to be reluctant to report cybercrime. Speaking to Forbes, security consultant Brian Honan says he has worked with SMBs where ransomware was deployed in combination with the destruction of backups.

RansomWeb might not scale as well as normal ransomware, but given that many businesses use the same software for their web applications, and that vulnerabilities are regularly found in such software, it wouldn't be too difficult to target a fairly large number of businesses at once.

Making regular backups remains essential, but RansomWeb shows that backups are not enough: monitoring what happens on your server, and patching vulnerabilities as they are discovered, is just as important.

Posted on 02 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
googleplus.png
reddit.png

 

Latest posts:

We are more ready for IPv6 email than we may think

Though IPv6 is gradually replacing IPv4 on the Internet's network layer, email is lagging behind, the difficulty in blocking spam sent over IPv6 cited as a reason not to move. But would we really have such a hard time blocking spam sent over IPv6?

Subtle change could see a reduction in installation of malicious Chrome extensions

Google has made a subtle change to its Chrome browser, banning the inline installation of new extensions, thus making it harder for malware authors to trick users into unwittingly installing malicious extensions.

Paper: EternalBlue: a prominent threat actor of 2017–2018

We publish a paper by researchers from Quick Heal Security Labs in India, who study the EternalBlue and DoublePulsar exploits in full detail.

'North Korea' a hot subject among VB2018 talks

Several VB2018 papers deal explicitly or implicitly with threats that have been attributed to North Korean actors.

Expired domain led to SpamCannibal's blacklist eating the whole world

The domain of the little-used SpamCannibal DNS blacklist had expired, resulting in it effectively listing every single IP address.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.