Ransomware attacks are on the increase as reported previously*, but it seems that the threat of a DDOS attack may not be the only extortion muscle being employed.


High-Tech Bridge has published details of two breach investigations they conducted recently which have exposed an intricate cyber-extortion racket they have dubbed RansomWeb.

The anatomy of the breach is that a client’s website application is hacked with the result that over a prolonged period of several months, transactions are encrypted using the Hackers key.

Everything continues to work normally until the Hacker suddenly removes access to the encryption key. At this point, data stored using the hacker key is no longer accessible (it has been encrypted!) and because this has been going on for several months, resorting to a backup that pre-dates the hack is operationally unviable – too much data would be lost.

Stop the breach or Spot the Breach?

In terms of defending against such an attack, the likely attack vector used were stolen/hijacked FTP credentials. A password policy that aligns to security best practices is critical for these most sensitive access credentials – regular aging with stringent re-use restrictions, coupled with complexity and length parameters is the minimum requirement. Consider also greater restrictions to access – only allow internal access to the website filesystem, confined to only a minimal range of devices/IP addresses. Use of a Jump Server adds an additional layer to secure access, private keys can also be employed to further ‘fingerprint’ access to only authorized devices.

The second factor that HTBridge recommend is the use of file integrity monitoring. Their summary regarding FIM and RansomWeb is

“Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day”

This is where NNT innovations in File Integrity Monitoring for web applications offers a significant advantage over basic file integrity monitoring tools. By providing highly flexible and precise rules for both inclusions and exclusions, NNT FIM will only alert when critical system and configuration files change. Even then, because Change Tracker’s Closed-Loop Intelligent Change Control technology will automatically distinguish between Planned and Unplanned changes.

This makes NNT Change Tracker a perfect breach detection system for web applications, even where the application is being regularly changed.


To read more about NNT Change Tracker

To read more about RansomWare – High-Tech Bridge forensic investigation

To read more about RansomWare – The Register

To read more about Will 2015 be the year of DDOS Extortion? New trojan out to attack Linux platforms

NNT Suite of Products

change tracker gen7r2 logo

Combine industry leading Device Hardening, File Integrity Monitoring, Change Control, Configuration Management & Compliance Management into one easy to use solution that can scale to the most demanding environments!

fastcloud logo

Automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology) Integrity Assurance.

log tracker logo logo

Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds.

vulnerability tracker logo

Continuously scan and identify vulnerabilities with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

USA Offices
New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
1175 Peachtree St NE
Atlanta, Georgia, 30361.
4145 SW Watson, Suite 350
Beaverton, Oregon, 97005.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2019, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.