back to article Ransomware 2.0 'crypts website databases – until victims pay up

Criminals are holding companies' web databases to ransom by compromising web applications and encrypting all the data until money is handed over. As detailed by security consultancy High-Tech Bridge, the attacks start with an assault on a website that yields access to a database server. Once in, miscreants install hidden …

  1. Pascal Monett Silver badge

    So they got in with a compromised FTP password

    And then they pwned the place so bad it's not even funny any more. This seems to me to be a good step above skiddie level. This is serious criminal activity done by knowledgeable perps, and they're going to mint millions with it.

    Big Corp might not get caught, but Mom & Pop operations are going to be sunk by this.

    On the other hand : calling Sony ! Sony ? If you think you lost some money last time, when these guys show up on your doorstep, you're going to find out the true meaning of LOSSES.

  2. Adam 1

    Any backup must be considered as of unknown success until you have successfully restored it to another machine.

    If you go 6 months without noticing your backups don't restore with the encryption keys you hold, your problems are deeper than ftp passwords.

    1. Anonymous Coward
      Anonymous Coward

      From the original article -

      >The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.

      >Only the most critical fields of the database tables were encrypted (probably not to impact web application performance a lot). All previously existing database records were encrypted accordingly.

      This means that you can restore the database with the encryption keys in your pocket but only the critical fields in the database will be encrypted using the bad guy's encryption keys. You will not only need to restore a backup but to also use a clean and secure environment to test the data.

      1. Adam 1
  3. waldo kitty
    WTF?

    um... guys... you should read the original article... this one has things mixed up between two different attacks... there's also not any encryption key on the system util the creatins have busted in and modified the database access to use their encryption key... before that, the data is plain and unencrypted... seriosuly, read the original article... carefully and closely...

    1. David Pollard

      ... crypto key swap

      "Once in, attackers change the encryption settings used by the database."

      1. Anonymous Coward
        Anonymous Coward

        Re: ... crypto key swap

        He said the original article, not The Register article:

        https://www.htbridge.com/blog/ransomweb_emerging_website_threat.html

        "The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users."

        They do not change any existing settings/encryption keys, they changed the scripts driving the web application so that it encrypted data using their key (which the web application retrieved by HTTPS from the attackers server) before inserting/updating it and decrypted it on retrieval.

        They then waited for that encrypted data to overwrite/roll into all the backups for 6 months before pulling the key on their server, preventing the compromised web application from decrypting the data until they pay up.

        1. waldo kitty
          Facepalm

          Re: ... crypto key swap

          thank you AC... t'would be nice to have a few thumbsups on my original post... i read both articles several times to make sure i was reading things correctly before i made my post...

          1. David Pollard

            Re: ... crypto key swap

            @waldo: Your comment would have been a bit clearer if you had included a link to the other article(s) you had read.

            1. waldo kitty
              Facepalm

              Re: ... crypto key swap

              @waldo: Your comment would have been a bit clearer if you had included a link to the other article(s) you had read.

              @david: the link was already posted... it was the one in the reg's article ;)

  4. thames

    Monitor the database?

    The key thing seems to be that the data is being both entered and used through the same web application. If the data was also being used by a separate back-end application that wasn't compromised by the attackers, it would choke on the encryption and the problem would come to light more quickly.

    Perhaps that same principle could be used to monitor the database. If you had something running on another, more secure server that continually checked the integrity of the data you could have it notify you of any problems. Of course now you have to make sure that this server doesn't get compromised somehow, but that might be easier to arrange, and it adds another hoop the bad guys have to jump through. It also helps guard against problems caused by mistakes or equipment/software failures as well as intentional damage.

    I won't be surprised to see security vendors offer an approach based on the above. I also won't be surprised if we see upcoming stories about how the administrators of some major company ignored such warnings because the very expensive enterprise data integrity monitoring solution spit out a deluge of spurious warnings all the time.

    1. Anonymous Coward
      Anonymous Coward

      Re: Monitor the database?

      Raspberry Pi + Nagios will do this happily for £20 (£40 if you want failover). Throw it on a private subnet away from your DB servers, give it a SQL/bash script to execute that'll verify your data and you're golden.

      You could even use it to checksum the scripts on the web server for unauthorised modification.

      1. Justin Goldberg

        Re: Monitor the database?

        It sounds like the next thing in security is something where each save to a script is also cryptographically signed. Here's an excellent idea from the comments on the original article:

        Admin access should be restricted to only ssh/sftp sessions using PKI, so useless even if password known/brute forced. Of course one must keep the keys safe and its no protection against vulnerabilities in the web app/os itself, but patching/scanning/pen testing and finally log monitoring do the rest.

  5. gollux

    Welcome to more granite embedded in the cloud...

    Your data is truly safe, just never to be seen again in this life.

  6. Justin Goldberg

    I wonder if the key can be recovered from the server's filesystem? I'm guessing they can't, they were probably smart enough to run tools that erase all freed space.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021