A place for all things security.

Hackers Encrypt Websites, Holding Businesses Hostage for Thousands

Feb 10, 2015 // Andrew Stroup

Hackers have now shifted to a new tactic, taking over [website][1] servers and encrypting all the data, demanding payment to regain access and decrypt the files.

The Swiss security firm, High-Tech Bridge, calls these attacks RansomWeb and identified such a case in December 2014, the victim being a undisclosed large European financial services company. Traditionally, this ‘ransomware’ attack via malware usually requires individuals to pay $100-1000 to recover their accounts, but now that focus has turned to organizations, the ransom amount will undoubtedly increase to much larger sums.

In this particular case, the attacks started six months prior to the website’s shut down in December. Hackers encrypted data on the server using “on-the-fly” tweaks to PHP code functions. Additionally, the decryption keys were stored on the hacker’s servers using secure data transmission (e.g. TLS). Once the connection between servers were disconnected, the encryption keys that were silently encrypting/decrypting all the website’s data became inaccessible, and the website went down. Ransom emails to employees of the financial services firm were sent, demanding $50,000 to restore the website with the price increasing by 10 percent every passing week.

Fortunately this story has a happy ending as the hackers had faults in their own security protocols and High-Tech Bridge was able to recover the encryption keys. However, another attack to another High-Tech Bridge customer occurred, leading to the prediction a rapid increase of these types of attacks in 2015.