After the ongoing waves of Cryptolocker attacks, we are more alert than ever of ransomware and heightening our email and computer security. However, a new trend on the market shows that cybercriminals are now targeting websites as well to seek ransom payment from website owners.
Swiss security firm High-Tech Bridge has identified a new type of threat that is similar in concept to ransomware; however, instead of compromising a system with malware that encrypts files, the attack involves compromising a website and encrypting its core databases.
The attack technique – dubbed ‘RansomWeb’ – was first discovered by High-Tech Bridge in December 2014, when it was investigating the compromised website of a customer. The website was out of service, a database error was displaying, and the company received an email asking for a ransom of US$50,000 in order to decrypt the database.
The attackers first compromised the company’s web application. Then, they modified server scripts so that data was encrypted on-the-fly before it was inserted into the database. The encryption process happened over a long period of time, in this case six months, to avoid raising any suspicion. Once the data was completely encrypted, the victim was sent a ransom demand.
Only the most critical fields of the database tables were encrypted, likely to avoid any web application performance issues during the process. Even the backups were overwritten with encrypted entries, making it difficult to recover the data. The encryption key was stored on a remote web server only accessible via HTTPS, so it could not be intercepted by traffic monitoring systems.
In a different case, attackers targeted a phpBB forum used by an SMB for customer support. The installation was compromised after the attackers stole an FTP server password. Once they had access to the server, they planted backdoors and encrypted users’ email addresses and passwords on-the-fly between the web application and the database over a period of two months.
Part of the success of RansomWeb is just waiting as databases are automatically backed up with encryption, so that systems cannot simply be restored from a recent backup.
Potential Opportunities of RansomWeb:
- They can have everlasting impact on web application availability
- May be used not only for blackmailing but for long-term website destruction
- Backups cannot help a lot, as the database will be backed up in encrypted mode, while the encryption key is stored remotely and will not be backed up
- Almost impossible to recover from the attack without paying the ransom
Potential Weaknesses of RansomWeb:
- Can be easily detected by file integrity monitoring
- Relatively difficult to encrypt entire database without damaging web application functionality and/or speed
- May be detected quickly by developers when used on regularly-updated web application
The only reliable way to defend against this threat is to ensure that your website is secure. It is recommended to run a daily automated scanning and perform a manual penetration testing once per quarter, as fully-automated solutions may not be able to secure your website entirely.