Posted by Virus Bulletin on Feb 2, 2015
Encryption first added as a patch, key only removed when all backups are encrypted.
Make backups, they said. Then you won't have to worry about ransomware, they said.
Ransomware has quickly become one of the most frustrating kinds of cyber attack. We all know that our devices could suddenly die, and if this leads to a loss of data because we didn't backup regularly, then we only have ourselves to blame.
But things are different when files on a fully functional device are encrypted by a group of cybercrminals and the lack of a backup means we can only decrypt them by paying a few hundred dollars to the cybercriminals. That is why we hear so many sad stories of people affected by the likes of CryptoLocker, Cryptowall and CTB-Locker.
Researchers at Swiss security firm High-Tech Bridge have written about a new ransomware technique that targets businesses and that cannot simply be defeated by a proper backup policy.
Dubbed 'RansomWeb', the technique acts in two stages. In the first stage, the web application is 'patched' so that data is encrypted before it is stored in a database and decrypted when it is read from the database. When done well, this patch won't affect the functionality of the website.
In the second phase, the attacker removes the private encryption key from the web server and sends a note to the site owner, demanding a ransom. This phase usually takes place months after the first, by which time all the available backups will only contain encrypted data, which cannot be read without having access to the private key.
It is unclear how widespread RansomWeb is. High-Tech Bridge mentions at least two separate instances of the same kind of attack and there may be many more: businesses tend to be reluctant to report cybercrime. Speaking to Forbes, security consultant Brian Honan says he has worked with SMBs where ransomware was deployed in combination with the destruction of backups.
RansomWeb might not scale as well as normal ransomware, but given that many businesses use the same software for their web applications, and that vulnerabilities are regularly found in such software, it wouldn't be too difficult to target a fairly large number of businesses at once.
Making regular backups remains essential, but RansomWeb shows that backups are not enough: monitoring what happens on your server, and patching vulnerabilities as they are discovered, is just as important.
Posted on 02 February 2015 by Martijn Grooten