'RansomWeb' ransomware targets companies' databases

Posted by   Virus Bulletin on   Feb 2, 2015

Encryption first added as a patch, key only removed when all backups are encrypted.

Make backups, they said. Then you won't have to worry about ransomware, they said.

Ransomware has quickly become one of the most frustrating kinds of cyber attack. We all know that our devices could suddenly die, and if this leads to a loss of data because we didn't backup regularly, then we only have ourselves to blame.

But things are different when files on a fully functional device are encrypted by a group of cybercrminals and the lack of a backup means we can only decrypt them by paying a few hundred dollars to the cybercriminals. That is why we hear so many sad stories of people affected by the likes of CryptoLocker, Cryptowall and CTB-Locker.

  Source: Wikimedia Commons (CC BY-SA 3.0)

Researchers at Swiss security firm High-Tech Bridge have written about a new ransomware technique that targets businesses and that cannot simply be defeated by a proper backup policy.

Dubbed 'RansomWeb', the technique acts in two stages. In the first stage, the web application is 'patched' so that data is encrypted before it is stored in a database and decrypted when it is read from the database. When done well, this patch won't affect the functionality of the website.

In the second phase, the attacker removes the private encryption key from the web server and sends a note to the site owner, demanding a ransom. This phase usually takes place months after the first, by which time all the available backups will only contain encrypted data, which cannot be read without having access to the private key.

It is unclear how widespread RansomWeb is. High-Tech Bridge mentions at least two separate instances of the same kind of attack and there may be many more: businesses tend to be reluctant to report cybercrime. Speaking to Forbes, security consultant Brian Honan says he has worked with SMBs where ransomware was deployed in combination with the destruction of backups.

RansomWeb might not scale as well as normal ransomware, but given that many businesses use the same software for their web applications, and that vulnerabilities are regularly found in such software, it wouldn't be too difficult to target a fairly large number of businesses at once.

Making regular backups remains essential, but RansomWeb shows that backups are not enough: monitoring what happens on your server, and patching vulnerabilities as they are discovered, is just as important.

Posted on 02 February 2015 by Martijn Grooten



Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…