Criminals holding compromised websites for ransom

It’s a clever scheme.

According to a report form High-Tech Bridge, criminals have started moving away from Ransomware, which targets a single PC, to a process the security firm is calling RansomWeb – where the criminal encrypts the website’s databases and holds them hostage.

The process was first discovered in December of 2014. High-Tech Bridge incident response team members were working a case at a financial company that reported a website problems.

Investigators discovered a database error and an email demanding a ransom in order to decrypt the website’s database.

The company couldn’t afford the financial impact that suspending the application would cause, nor could they deal with the impact of announcing that it had been compromised.

After some digging, the investigators were able to establish that the application itself was compromised six months prior to the ransom demands. Moreover, they discovered several server scripts were modified to encrypt data before it is inserted into the database and to decrypt it once it is retrieved from the database – both processes were happening on the fly.

The entire database itself wasn’t encrypted though, the attackers only focused on the most critical fields so as not to impact application performance.

“[The] encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems). During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database. At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key,” the report explained.

High-Tech Bridge assumed this was a clever attack, but unique enough that it was a one-time thing. That assumption was true, until just last week, when another customer had a problem with their phpBB installation.

It was the same attack, right down to the ransom and selectively encrypted database fields. The forum was online, but all functions that were required for authentication had stopped working. As was the case previously, the forum was a critical aspect of the SMB’s operation, and the backups were corrupted.

“Hosting companies are not ready for this new challenge, and probably won’t be able to help their customers,” the report said, adding that it was nearly impossible to recover from such an attack without paying the ransom.

The report wasn’t clear on how the scripts were modified after the targeted applications were compromised. However, once the modifications were made, the attackers simply needed to wait.

There is an upside however, as this attack can be prevented and it can be detected – if the server is running some type of file integrity monitoring program. Such programs can detect when files or directories are altered, and there are several free options available online – including a program called CSF.

“We have tens of millions of vulnerable web applications with critical data, and hackers will definitely not miss such a great opportunity to make money on negligent website administrators,” commented Marsel Nizamutdinov, Chief Research Officer at High-Tech Bridge.