A security firm has identified a new method of attack in which hackers encrypt the data stored on website servers and demand a ransom payment for the decryption key.
In an article posted on its blog, High-Tech Bridge explains how its security experts first detected the attack back in December of 2014.
According to the firm’s research, the attackers were able to successfully compromise a web application belonging to a financial company’s website. They then used that unauthorized access to modify several scripts to encrypt data that went into the database. The attackers also stored the decryption key on a remote server accessible only via HTTPS.
For six months, the attackers overwrote existing backups with the recent versions of the database until “Day X,” when the hackers removed the key from the remote server, causing the website’s database to go down. Shortly thereafter, the attackers contacted the web admins and demanded a ransom payment of $50,000 for the key.
Ultimately, the financial company was able to recover the key due to a mistake on the part of the attackers.
Since that time, High-Tech Bridge has identified another attack in which hackers encrypted and held for ransom a phpBB forum used by a SMB for customer service. It was discovered that two phpBB backdoors on the business’ server helped facilitate the attack.
Brian Honan, a security consultant and one of Tripwire’s Top Influencers in Security, observes that this method of attack gives only a limited number of choices to its victims: “At this stage, the backups are no longer useful as they contain no workable data to restore the systems, thus leaving the victim companies with the choice of either losing all their data and rebuilding it from scratch, or paying the ransom.”
However, there is hope. Ransomweb can easily be detected by file integrity monitoring, although few companies implement this solution with dynamic web applications. To learn more about how Tripwire’s file integrity monitoring solutions can protect companies from ransomweb and other threats, please click here.
It’s important to note that attackers holding sensitive data hostage is nothing new. Beginning with CryptoLocker in 2013, attackers have been sending out ransomware via email to encrypt users’ personal computers. To read more about ransomware, including how you can protect against this particular form of malware, please click here.