In another startling development in the world of cyber crime, malicious hackers have started taking over website servers, encrypting the data on them and demanding payment to unlock the files. A large European financial services company, whose name was not disclosed, was the first known victim of this potentially business-destroying attack, according to Swiss security firm High-Tech Bridge, which investigated the breach in December 2014.
The security firm labelled the attack RansomWeb. The brazen techniques used and the high ransom represent a more aggressive take on ransomware – malware which encrypted people’s PCs and asked for payment, typically between $100 and £1,000. Though only a handful of attacks have been seen, many expect such extortion to grow rapidly in 2015.
The initial attack started six months’ prior to the victim’s website being shut down by the hackers, who were surreptitiously locking up the most critical data on the server using “on-the-fly” tweaks to the site’s PHP code functions. The criminals stored the key to decrypt the data on their own remote web server accessible only via HTTPS encrypted communications, supposed to guarantee no one with visibility on those connections could get access to the data but them. As soon as they pulled the key and data was no longer being silently encrypted and decrypted, the website was knocked out of action. That’s when employees at the financial services firm were sent emails from a Gmail account, demanding the firm pay $50,000 to get their website back. They threatened to increase the price by 10 per cent with every passing week.
CEO of High-Tech Bridge, Ilia Kolochenko, told Forbes the company didn’t end up paying as they were able to recover the keys thanks to mistakes on behalf of the hackers.
This month, a different hacker crew carried out a similar attack on another High-Tech Bridge customer, an SMB whose forum was compromised so users’ passwords and emails were encrypted as they moved between the web application and the database. In that case, according to Kolochenko, the criminals only asked for $1,000.
Kolochenko believes the hackers responsible for the attacks weren’t particularly sophisticated. When High-Tech Bridge started investigating the breach, they believed the attackers were smart and stealthy, but the recovery of the encryption key indicated otherwise, even though attribution appears to have escaped the cyber sleuths. He thinks more hackers will start abusing this technique in the coming year, however, as underground forums hear of the attack’s effectiveness.
Professor Alan Woodward WWD -1.33%, security expert from the University of Surrey’s Department of Computing, said he hadn’t seen anything like the RansomWeb attacks before but it was “sadly something we were predicting last year”. “Company data is becoming a major corporate asset and if hackers can access your database via compromise of your web front end (which as we have seen is becoming more common) then holding that company asset hostage is an obvious thing for the criminals to do.
“Although I’ve not seen it before that doesn’t mean its not happened as many companies are still reluctant to report such breaches and if they have made the problem ‘go away’ by paying up then they might have a reason for not reporting it.
“The next step might well be the modern equivalent of protection rackets – threatening companies with being either taken offline or having their databases frozen unless they pay a regular fee.”
Brian Honan, security consultant, said the modus operandi of the RansomWeb hackers was similar to ransomware attacks against a number of SMBs he had worked with, whereby the criminals broke into the server of the victim, overwrote backups with either the encrypted data or blank data, and at a later date returned to encrypt the server. “At this stage the backups are no longer useful as they contain no workable data to restore the systems, thus leaving the victim companies with the choice of either losing all their data and rebuilding it from scratch, or paying the ransom.”
WIth so many hackers looking for the best way to extort businesses, expect to see some significant ramsoms being paid this year. Or more catastrophic breaches of similar severity to the hack of Sony Pictures in 2014, also thought to have started as a ransom attack.