RansomeWeb is a new malicious treat that encrypts and holds vulnerable websites hostage via sophisticated targeted attacks.


QUOTE: More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.

In December 2014, our security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. Web application in question was pretty simple and small, but very important for business of the company that could not afford to suspend it, neither to announce its compromise.

Key research on how this new attack works:

1. The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.

2. Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly.

3. Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).

4. During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.

5. At the day X, hackers removed the key from the remote server. Database became unusable, website went out of service, and hackers demanded a ransom for the encryption key