Cybercriminals Use RansomWeb Attacks to Hold Website Databases Hostage

18/02/15 12:10 pm

THE STATE OF SECURITY

(HTTP://WWW.TRIPWIRE.COM/STATE-OFSECURITY/)
News. Trends. Insights.

FEATURED ARTICLES (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/FEATURED/)

LATEST SECURITY NEWS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/LATEST-SECURITY-NEWS/)

TOPICS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/)

RESOURCES (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/RESOURCES/)

ABOUT (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/ABOUT/)

Search

HOME (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY) LATEST SECURITY NEWS

(HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/LATEST-SECURITY-NEWS/) Cybercriminals Use

The State of Security

Newsletter

RansomWeb Attacks to Hold Website Databases

Cybercriminals Use RansomWeb

Attacks to Hold Website Databases
Hostage

Receive the latest security stories, trends

and insights directly in your inbox each
week.
Enter your email address here...
Sign Up

DAVID BISSON (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/CONTRIBUTORS/DAVID-BISSON/)

FEB 3, 2015 |
LATEST SECURITY NEWS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/LATEST-SECURITY-NEWS/)

(HTTP://WWW.TRIPWIRE.COM/STATEOF-SECURITY/CONTRIBUTORS/DAVIDBISSON/)

(http://www.tripwire.com/state-of-security/latest-security-news/cybercriminals-useransomweb-attacks-to-hold-website-databases-hostage/)
19

72

76

(http://www.tripwire.com/state-ofsecurity/security-data-protection/securityconfiguration-management/are-you-asecurity-configuration-management-expert/
sb-bnr)

A security firm has identified a new method of attack in which hackers encrypt the data
stored on website servers and demand a ransom payment for the decryption key.
In an article posted on its blog
(https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html), High-Tech
Bridge explains how its security experts first detected the attack back in December of
2014.
According to the firms research, the attackers were able to successfully compromise a
web application belonging to a financial companys website
(http://www.theguardian.com/technology/2015/feb/03/hackers-websites-ransom-

Latest Security News (/stateof-security/topics/latestsecurity-news/)

Advanced Threat Actor Linked to NSA
Uses Spyware to Infect the Disk Drive
Firmware of Foreign Targets
FEB 17, 2015

http://www.tripwire.com/state-of-security/latest-security-news/cyriminals-use-ransomweb-attacks-to-hold-website-databases-hostage/

Page 1 of 4

Cybercriminals Use RansomWeb Attacks to Hold Website Databases Hostage

18/02/15 12:10 pm

switching-encryption-keys). They then used that unauthorized access to modify several

scripts to encrypt data that went into the database. The attackers also stored the
decryption key on a remote server accessible only via HTTPS.
For six months, the attackers overwrote existing backups with the recent versions of the
database until Day X, when the hackers removed the key from the remote server, causing
the websites database to go down. Shortly thereafter, the attackers contacted the web
admins and demanded a ransom payment of $50,000 for the key.
Ultimately, the financial company was able to recover the key due to a mistake on the part
of the attackers.
Since that time, High-Tech Bridge has identified another attack in which hackers encrypted
and held for ransom a phpBB forum used by a SMB for customer service. It was
discovered that two phpBB backdoors
(http://www.theregister.co.uk/2015/02/03/web_ransomware_scum_now_lay_waste_to_your_backups/)
on the business server helped facilitate the attack.
Brian Honan (https://twitter.com/brianhonan), a security consultant and one of Tripwires
Top Influencers in Security (http://www.tripwire.com/state-of-security/featured/topinfluencers-in-security-you-should-be-following-in-2015/), observes that this method of
attack gives only a limited number of choices to its victims: At this stage, the backups are
no longer useful as they contain no workable data to restore the systems, thus leaving the
victim companies with the choice of either losing all their data and rebuilding it from
scratch, or paying the ransom.
However, there is hope. Ransomweb can easily be detected by file integrity monitoring,
although few companies implement this solution with dynamic web applications. To learn
more about how Tripwires file integrity monitoring solutions can protect companies from
ransomweb and other threats, please click here (http://www.tripwire.com/it-securitysoftware/scm/file-integrity-monitoring/).
Its important to note that attackers holding sensitive data hostage is nothing new.
Beginning with CryptoLocker in 2013, attackers have been sending out ransomware via
email to encrypt users personal computers. To read more about ransomware, including
how you can protect against this particular form of malware, please click here
(http://www.tripwire.com/state-of-security/security-awareness/ransomware-refusing-tonegotiate-with-attackers/).
19
CATEGORIES
TAGS

72

Cybercriminals Steal $1 Billion in Most

Sophisticated Attack the World Has
Seen
FEB 16, 2015
Haskell Confirms Security Breach in
Debian Builds
FEB 16, 2015
70% of Malware Infections Go
Undetected by Antivirus Software, Study
Says
FEB 13, 2015
Report: 16 Million Mobile Devices Infected
by Malware at the End of 2014
FEB 13,
2015

POPULAR

FEATURED

RECENT

(http://www.tripwire.com/stateof-security/security-dataprotection/cyber-security/whyanthem-why-now/)

76

Latest Security News (http://www.tripwire.com/state-of-security/topics/latest-security-news/)

cybercrime (http://www.tripwire.com/state-of-security/tag/cybercrime/), RansomWeb
(http://www.tripwire.com/state-of-security/tag/ransomweb/), Website
(http://www.tripwire.com/state-of-security/tag/website/)

(http://www.tripwire.com/stateof-security/latest-securitynews/70-of-malwareinfections-go-undetected-byantivirus-software-study-says/)

Why H
Health
(http://
of-sec
protec
anthem

FEBRUA

70% o
Undete
Softwa
(http://
of-sec
news/7
infectio
antiviru

FEBRUA

COMMENTS

Login

There are no comments posted yet. Be the first one!

POST A NEW COMMENT

(http://www.tripwire.com/stateof-security/security-dataprotection/forbes-websiteused-to-spread-malware-butwhat-can-other-businesseslearn/)

Enter text right here!

Forbes
Spread
Can O
(http://
of-sec
protec
used-t
what-c
learn/)

FEBRUA

Comment as a Guest, or login:

NAME

EMAIL

WEBSITE (OPTIONAL)

Displayed next to your comments.

Not displayed publicly.

If you have a website, link to it here.

Subscribe to None

Submit Comment

(http://www.tripwire.com/stateof-security/risk-basedsecurity-forexecutives/connectingsecurity-to-thebusiness/securityperspectives-on-cyberliteracy/)

http://www.tripwire.com/state-of-security/latest-security-news/cyriminals-use-ransomweb-attacks-to-hold-website-databases-hostage/

Improv
Literac
Execut
(http://
of-sec
securit
execut
securit
busine
perspe
literacy

Page 2 of 4

Cybercriminals Use RansomWeb Attacks to Hold Website Databases Hostage

18/02/15 12:10 pm

FEBRUA

About David Bisson

David Bisson (http://www.tripwire.com/state-ofsecurity/contributors/david-bisson/) has contributed 125 posts to The
State of Security.
View all posts by David Bisson (http://www.tripwire.com/state-ofsecurity/contributors/david-bisson/) >
(http://www.tripwire.com/stateFollow @DMBisson
ofsecurity/contributors/david-

(http://www.tripwire.com/stateof-security/latest-securitynews/haskell-confirmssecurity-breach-in-debianbuilds/)

bisson/)

Tweets

Haske
Breach
(http://
of-sec
news/h
securit
builds/

FEBRUA

Follow

Tripwire, Inc. @TripwireInc

The Startup Problem
tripwire.me/1DlI8VW via Andrew Wagner
#Security #Infosec
Expand

Tripwire, Inc. @TripwireInc

iOS 8 Custom Keyboards A Hackers
Best Friend? tripwire.me/1ziFKc1 via
@treguly #infosec #ios8
Expand

Tripwire, Inc. @TripwireInc

Three Keys to a Successful
#Cybersecurity Defense Program
tripwire.me/1DhFuR0 via Kelly Lang
#security
Expand

Tweet to @TripwireInc

Tripwire
Like
184 people like Tripwire.

Facebook social plugin

Topics (/state-of-security/topics/
Government

Incident Detection

IT Security and Data Protection

Latest Security News
Off Topic

Regulatory Compliance

Risk-Based Security for Executives

Security Awareness
Security Slice
Tripwire News

!
!

Vulnerability Management

http://www.tripwire.com/state-of-security/latest-security-news/cyriminals-use-ransomweb-attacks-to-hold-website-databases-hostage/

Page 3 of 4

Cybercriminals Use RansomWeb Attacks to Hold Website Databases Hostage

2015 TRIPWIRE, INC.

(HTTP://WWW.TRIPWIRE.COM/) ALL RIGHTS
RESERVED.

18/02/15 12:10 pm

FEATURED ARTICLES (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/FEATURED/)

The State
TOPICS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/TOPICS/)

of Security Newsletter

Receive the latest security stories,

ABOUT (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/ABOUT/)
trends and insights directly in your
CONTRIBUTORS (HTTP://WWW.TRIPWIRE.COM/STATE-OF-SECURITY/CONTRIBUTORS/)
inbox each week.
PRIVACY POLICY (HTTP://WWW.TRIPWIRE.COM/LEGAL/PRIVACY/)

TRIPWIRE.COM (HTTP://WWW.TRIPWIRE.COM/)

Enter your email address here...

FOLLOW US

Sign Up

http://www.tripwire.com/state-of-security/latest-security-news/cyriminals-use-ransomweb-attacks-to-hold-website-databases-hostage/

Page 4 of 4