In our new ‘Uncovered’ series we aim to demystify and delve into digital trends, buzzwords and banter – getting to the heart of what these are and outlining what you need to know.

In our first article, we discuss one of the latest evolutions within cyber security, RansomWeb.

We’ve all heard the warnings and reports about opening suspicious emails that could be infected with a virus. Known as ransomware (or scareware) this type of ‘email hack’ usually encrypts a computer straight away. A ransom is demanded to unlock the files, but users have a good chance that one of their latest backups is not affected, which could then be used to restore their system.

But this hack has evolved to a new level of sophistication – essentially holding businesses to ‘ransom’, paralysing their digital assets and causing immeasurable damage to business, brand and the bottom line.

Enter RansomWeb… the silent assassin

Company websites can now be targeted for months without detection and by the time the breach is revealed, it can be too late to recover without paying a hefty price. RansomWeb is a new type of threat that installs a malicious piece of code inside a web application.

Once a target website is compromised, a ‘crypto layer’ is injected into the application in the form of a fake update or patch, which encrypts all the underlying database’s content over time. This patch encrypts and decrypts information on the fly with a secret key and over time, the majority of the data will be fully encrypted without the owner knowing about it. The key is stored on an external system and is under the full control of the hacker. As data is being encrypted, there is no visible impact to the end user or system administrator. It’s like someone installing new locks to your house without you noticing.

Only after a long time, the hacker reveals the hack by removing the external encryption key (the key to the locks). The website’s functions may still appear to be working, but its content is encrypted and unreadable, rendering the web application useless.

These hacks are programmed to run over a number of months to make sure that all usable database backups are fully encrypted, which leaves the victim with no chance of recovery.

Once a system infection is revealed, victims generally have 90 hours to pay the fee. The malicious code uses high-grade encryption, making it virtually impossible for small organisations with limited resources to crack the encryption without paying the ransom fee, which is usually demanded in Bitcoin digital currency and can run into thousands of dollars.

Victims often lose valuable time in trying to solve the problem, in the hope of finding a non-compromised backup. However, this time could potentially cost more than the ransom. Depending on the website, hackers could choose a sensitive time to reveal the hack to increase the pressure on the victim, for example, by compromising a shop system during the Christmas shopping period.

Protecting against RansomWeb attacks

Generally small and medium-sized enterprises running PHP applications have been the target of these attacks, but these attack mechanisms are not limited to just these. SMEs are seen as having less robust controls in place to protect them against becoming a target, or they may simply be less aware of this new trend. However all organisations must remain vigilant and agile to cyber risks.

RansomWeb can be detected by monitoring system changes, although this is a cumbersome process that many companies in reality do not implement because it is hard to manage. At a minimum businesses need to be considering the following tactics to protect against RansomWeb and other cyber attacks:

Detective measures

  • Monitor systems continuously for suspicious traffic (one example is event correlation or sandboxing technologies)
  • Implement up-to-date intrusion detection and prevention systems (IDS)
  • Implement file and system integrity solutions in order to detect malicious activity

Preventive measures

  • Use the latest updates of technical defensive measures such as firewalls, intrusion prevention systems and spam filters
  • Install the latest version of antivirus software on each of your devices and complete regular scans to keep them clean
  • Keep all network servers and PC workstations current with the latest security updates and patches
  • Perform periodic vulnerability or penetration assessments to test that controls operate effectively

As cyber risks continue to evolve in terms of sophistication, organisations must remain vigilant and agile. Protecting from these attacks is no small task but like most modern threats, detection will give a business the best chance of reducing risks to its business assets.

This article was co-written by Thomas Sonderegger, Volker Rath and Varun Mudgal.


Contributor Placeholder


Thomas Sonderegger

Thomas Sonderegger is a Partner in PwC’s cyber security practice.

More About Thomas Sonderegger
Contributor Placeholder


Volker Rath

Volker Rath is a security expert with PwC’s Cyber Security Services. He has international experience primarily focused on the verticals pharmaceutical, manufacturing, financial services and government. He developed many innovative new security solutions and influenced market leading security products and services.

As a SME and Category Manager for hosting and cloud computing Volker also gained a deep understanding of the cloud and hosting market and individual customer requirements.

“I like to think out of the box and try new ways to improve the security and performance of businesses. The quick changing technology and security landscape provides an interesting challenge but also huge potential that I would like to help unlock.”

More About Volker Rath
Contributor Placeholder


Varun Mudgal

Varun Mudgal is a Senior Consultant within the Cyber team at PwC Australia. He has close to eight years’ experience in various IT security areas. He has extensive experience in executing security risk assessment, performing IT audits, vulnerability assessment, PCI – DSS reviews, cloud security, data centre reviews, developing and reviewing security policies and procedures.

Varun holds a Master degree in Software from Symbiosis International University, India, and a Bachelor degree in Computer Science Engineering in Computer Science from India.

“Providing value based professional services to our clients is what drives me and the unquenchable thirst of learning new threats and technologies in the cyber world.”

More About Varun Mudgal