Ransomware attacks are on the increase as reported previously*, but it seems that the threat of a DDOS attack may not be the only extortion muscle being employed.
High-Tech Bridge has published details of two breach investigations they conducted recently which have exposed an intricate cyber-extortion racket they have dubbed RansomWeb.
The anatomy of the breach is that a client’s website application is hacked with the result that over a prolonged period of several months, transactions are encrypted using the Hackers key.
Everything continues to work normally until the Hacker suddenly removes access to the encryption key. At this point, data stored using the hacker key is no longer accessible (it has been encrypted!) and because this has been going on for several months, resorting to a backup that pre-dates the hack is operationally unviable – too much data would be lost.
Stop the breach or Spot the Breach?
In terms of defending against such an attack, the likely attack vector used were stolen/hijacked FTP credentials. A password policy that aligns to security best practices is critical for these most sensitive access credentials – regular aging with stringent re-use restrictions, coupled with complexity and length parameters is the minimum requirement. Consider also greater restrictions to access – only allow internal access to the website filesystem, confined to only a minimal range of devices/IP addresses. Use of a Jump Server adds an additional layer to secure access, private keys can also be employed to further ‘fingerprint’ access to only authorized devices.
The second factor that HTBridge recommend is the use of file integrity monitoring. Their summary regarding FIM and RansomWeb is
“Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day”
This is where NNT innovations in File Integrity Monitoring for web applications offers a significant advantage over basic file integrity monitoring tools. By providing highly flexible and precise rules for both inclusions and exclusions, NNT FIM will only alert when critical system and configuration files change. Even then, because Change Tracker’s Closed-Loop Intelligent Change Control technology will automatically distinguish between Planned and Unplanned changes.
This makes NNT Change Tracker a perfect breach detection system for web applications, even where the application is being regularly changed.
To read more about NNT Change Tracker
To read more about RansomWare – High-Tech Bridge forensic investigation
To read more about RansomWare – The Register