Incident Response, TDR

Researchers observe databases being encrypted, websites held for ransom

Security firm High-Tech Bridge has identified a new type of threat that is similar in concept to ransomware; however, instead of compromising a system with malware that encrypts files, the attack involves compromising a website and encrypting the core databases.

High-Tech Bridge first noticed the threat – which it calls ‘RansomWeb' – in December 2014, when it was investigating the compromised website of a customer. The website was out of service, a database error was displaying, and the company received an email asking for a ransom in order to “decrypt the database,” according to a Wednesday post.

The ransom was $50,000, Ilia Kolochenko, CEO of High-Tech Bridge, told in a Friday email correspondence.

It turns out that a small – yet very important – web application was compromised six months prior, and several server scripts had been modified so that data would be encrypted when going into the database and would be decrypted when being taken out of the database.

High-Tech Bridge referred to it in the post as a type of on-the-fly patching that is invisible to web application users.

Only the most critical fields of the database tables were encrypted, likely to avoid any web application performance issues, the post notes, adding that the encryption key was stored on a remote web server only accessible via HTTPS, probably so that it would not be intercepted by traffic monitoring systems.

As the months passed, the company's backups were being overwritten by encrypted versions of the database. After six months, the attackers removed the key from the remote server, the database became unusable, and the website went down, according to the post.

The security firm thought it was a one-time instance, but last week a different customer experienced a practically identical attack targeting its phpBB forum. Kolochenko said the attack was carried out by a different attacker, and the ransom asked for was $1,000.

This time the attackers patched the forum engine so user credentials were encrypted on-the-fly between the web application and the database, the post indicates, adding two months passed before the encryption key was removed from the remote server.

Part of the success of this type of attack is just waiting as databases are automatically backed up with encryption, so that systems cannot simply be restored from a recent backup, Kolochenko said. He added that most organizations just set systems to backup, make sure it works, and do not touch it until something goes wrong.

“Time is very helpful for hackers,” Kolochenko said. “The more they can wait – the more chances that the website owner will agree to pay them. However, for some critical web applications even [one] month of data loss may be dramatic.”

The attack has some weaknesses, though.

For regularly updated web applications, web programmers may detect the malicious changes when updating code, Kolochenko said. Additionally, he recommended using file integrity monitoring since it can more easily detect the threat.

“The only reliable way [to defend against this threat] is to make sure that your website is secure,” Kolochenko said. “This is not a new intrusion technique, but rather a consequence of a successful attack. I can recommend daily automated scanning and manual penetration testing once per quarter, fully-automated solutions won't secure your website.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.