'RansomWeb' ransomware targets companies' databases

Posted by   Virus Bulletin on   Feb 2, 2015

Encryption first added as a patch, key only removed when all backups are encrypted.

Make backups, they said. Then you won't have to worry about ransomware, they said.

Ransomware has quickly become one of the most frustrating kinds of cyber attack. We all know that our devices could suddenly die, and if this leads to a loss of data because we didn't backup regularly, then we only have ourselves to blame.

But things are different when files on a fully functional device are encrypted by a group of cybercrminals and the lack of a backup means we can only decrypt them by paying a few hundred dollars to the cybercriminals. That is why we hear so many sad stories of people affected by the likes of CryptoLocker, Cryptowall and CTB-Locker.

  Source: Wikimedia Commons (CC BY-SA 3.0)

Researchers at Swiss security firm High-Tech Bridge have written about a new ransomware technique that targets businesses and that cannot simply be defeated by a proper backup policy.

Dubbed 'RansomWeb', the technique acts in two stages. In the first stage, the web application is 'patched' so that data is encrypted before it is stored in a database and decrypted when it is read from the database. When done well, this patch won't affect the functionality of the website.

In the second phase, the attacker removes the private encryption key from the web server and sends a note to the site owner, demanding a ransom. This phase usually takes place months after the first, by which time all the available backups will only contain encrypted data, which cannot be read without having access to the private key.

It is unclear how widespread RansomWeb is. High-Tech Bridge mentions at least two separate instances of the same kind of attack and there may be many more: businesses tend to be reluctant to report cybercrime. Speaking to Forbes, security consultant Brian Honan says he has worked with SMBs where ransomware was deployed in combination with the destruction of backups.

RansomWeb might not scale as well as normal ransomware, but given that many businesses use the same software for their web applications, and that vulnerabilities are regularly found in such software, it wouldn't be too difficult to target a fairly large number of businesses at once.

Making regular backups remains essential, but RansomWeb shows that backups are not enough: monitoring what happens on your server, and patching vulnerabilities as they are discovered, is just as important.

Posted on 02 February 2015 by Martijn Grooten

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest posts:

Nominations opened for sixth Péter Szőr Award

Virus Bulletin is seeking nominations for the sixth annual Péter Szőr Award.

Haroon Meer and Adrian Sanabria to deliver VB2019 closing keynote

New additions to the VB2019 conference programme include a closing keynote address from Thinkst duo Haroon Meer and Adrian Sanabria and a talk on attacks against payment systems.

Free VB2019 tickets for students

Virus Bulletin is excited to announce that, thanks to generous sponsorship from Google Android, we are able to offer 20 free tickets to students who want to attend VB2019.

VB2018 paper: Lazarus Group: a mahjong game played with different sets of tiles

The Lazarus Group, generally linked to the North Korean government, is one of the most notorious threat groups seen in recent years. At VB2018 ESET researchers Peter Kálnai and Michal Poslušný presented a paper looking at the group's various…

Book your VB2019 ticket now for a chance to win a ticket for BSides London

Virus Bulletin is proud to sponsor this year's BSides London conference, which will take place next week, and we have a number of tickets to give away.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.