Malicious actors are encrypting website databases and holding them for ransom, Switzerland-based security firm High-Tech Bridge revealed on Wednesday.
File encrypting ransomware has become highly problematic for both regular Internet users and organizations. However, researchers at High-Tech Bridge have spotted a new type of attack that threatens businesses.
The technique, dubbed “RansomWeb,” targets sensitive information stored in website databases. These attacks require a lot of patience, but they can be highly profitable for cybercriminals.
The attackers first compromise the targeted company’s Web application. Then, they modify server scripts so that data is encrypted on-the-fly before it’s inserted into the database. This encryption process happens over a long period of time to avoid raising any suspicion. Once the data is encrypted, victims are sent a ransom demand.
In one operation observed by researchers, the attackers encrypted the database of a financial company over a six-month period. During this time, even the backups were overwritten with encrypted entries, making it difficult to recover the data.
In this particular attack, only critical fields in the database were targeted by the cybercriminals, most likely in an effort to reduce the impact on the Web application’s performance.
The encryption key is stored on a remote Web server accessible only via HTTPS. However, once the encryption process is completed, the key is removed from the server.
In a different attack analyzed by High-Tech Bridge, cybercriminals targeted a phpBB forum used by an SMB for customer support. In this case, the attackers encrypted users’ email addresses and passwords on-the-fly between the Web application and the database over a period of two months.
The phpBB installation was compromised after the cybercrooks stole an FTP server password. Once they had access to the server, they planted backdoors and encrypted the information.
Researchers believe RansomWeb attacks can be used for both blackmail and for the long-term disruption of a website. These operations are more effective than distributed denial-of-service (DDoS) attacks because the targeted Web application can be disrupted for longer periods of time, High-Tech Bridge said.
Since even the backups are encrypted, and because the attackers ensure that the encryption key is not easy to obtain, it’s very difficult to recover the lost data without paying the ransom.
On the other hand, experts have pointed out that RansomWeb attacks can be easily detected if website administrators deploy file integrity monitoring systems. These types of operations can also be quickly spotted on regularly updated Web applications.
Researchers noted that while it is difficult for cybercriminals to encrypt an entire database without impacting performance or damaging the Web app’s functionality, it’s often enough for the attackers to encrypt one important field in the database.
“We are probably facing a new emerging threat for websites that may outshine defacements and DDoS attacks. RansomWeb attacks may cause unrepairable damage, they are very easy to cause and pretty difficult to prevent,” said Ilia Kolochenko, CEO of High-Tech Bridge. “Days when hackers were attacking websites for glory or fun are over, now financial profit drives them. The era of web blackmailing, racket and chantage is about to start.”
“Cyber blackmailing and ransomware exists since a while already, however websites is a new vector of chantage. We have tens of millions of vulnerable web applications with critical data, and hackers will definitely not miss such a great opportunity to make money on negligent website administrators,” noted Marsel Nizamutdinov, High-Tech Bridge’s chief research officer.
