In our new ‘Uncovered’ series we aim to demystify and delve into digital trends, buzzwords and banter – getting to the heart of what these are and outlining what you need to know.
In our first article, we discuss one of the latest evolutions within cyber security, RansomWeb.
We’ve all heard the warnings and reports about opening suspicious emails that could be infected with a virus. Known as ransomware (or scareware) this type of ‘email hack’ usually encrypts a computer straight away. A ransom is demanded to unlock the files, but users have a good chance that one of their latest backups is not affected, which could then be used to restore their system.
But this hack has evolved to a new level of sophistication – essentially holding businesses to ‘ransom’, paralysing their digital assets and causing immeasurable damage to business, brand and the bottom line.
Enter RansomWeb… the silent assassin
Company websites can now be targeted for months without detection and by the time the breach is revealed, it can be too late to recover without paying a hefty price. RansomWeb is a new type of threat that installs a malicious piece of code inside a web application.
Once a target website is compromised, a ‘crypto layer’ is injected into the application in the form of a fake update or patch, which encrypts all the underlying database’s content over time. This patch encrypts and decrypts information on the fly with a secret key and over time, the majority of the data will be fully encrypted without the owner knowing about it. The key is stored on an external system and is under the full control of the hacker. As data is being encrypted, there is no visible impact to the end user or system administrator. It’s like someone installing new locks to your house without you noticing.
Only after a long time, the hacker reveals the hack by removing the external encryption key (the key to the locks). The website’s functions may still appear to be working, but its content is encrypted and unreadable, rendering the web application useless.
These hacks are programmed to run over a number of months to make sure that all usable database backups are fully encrypted, which leaves the victim with no chance of recovery.
Once a system infection is revealed, victims generally have 90 hours to pay the fee. The malicious code uses high-grade encryption, making it virtually impossible for small organisations with limited resources to crack the encryption without paying the ransom fee, which is usually demanded in Bitcoin digital currency and can run into thousands of dollars.
Victims often lose valuable time in trying to solve the problem, in the hope of finding a non-compromised backup. However, this time could potentially cost more than the ransom. Depending on the website, hackers could choose a sensitive time to reveal the hack to increase the pressure on the victim, for example, by compromising a shop system during the Christmas shopping period.
Protecting against RansomWeb attacks
Generally small and medium-sized enterprises running PHP applications have been the target of these attacks, but these attack mechanisms are not limited to just these. SMEs are seen as having less robust controls in place to protect them against becoming a target, or they may simply be less aware of this new trend. However all organisations must remain vigilant and agile to cyber risks.
RansomWeb can be detected by monitoring system changes, although this is a cumbersome process that many companies in reality do not implement because it is hard to manage. At a minimum businesses need to be considering the following tactics to protect against RansomWeb and other cyber attacks:
- Monitor systems continuously for suspicious traffic (one example is event correlation or sandboxing technologies)
- Implement up-to-date intrusion detection and prevention systems (IDS)
- Implement file and system integrity solutions in order to detect malicious activity
- Use the latest updates of technical defensive measures such as firewalls, intrusion prevention systems and spam filters
- Install the latest version of antivirus software on each of your devices and complete regular scans to keep them clean
- Keep all network servers and PC workstations current with the latest security updates and patches
- Perform periodic vulnerability or penetration assessments to test that controls operate effectively
As cyber risks continue to evolve in terms of sophistication, organisations must remain vigilant and agile. Protecting from these attacks is no small task but like most modern threats, detection will give a business the best chance of reducing risks to its business assets.