Cybercrime Update: Ransomware


“The era of web blackmailing, racket and chantage is about to start.”

2015 began with another incident of what seems to be a new emerging threat in Cybercrime which may overtake defacements and DDoD attacks– the use of hacking for extortion with the introduction of a more vigilant form of Ransomware – “RansomWeb”. Cyber-criminals are targeting website servers, shutting down websites or gaining access to data and holding them for “ransom”.

Ease to cause. Difficult to prevent. Financially driven.

Hackers have procured a way in a form of Malware to make money off negligent site administrators and individuals, with vulnerable website applications with critical data providing an easy way to compromise, threaten and extort companies. As Ilia Kolochenko, CEO of Swiss security firm High-Tech Bridge stated at the end of January;

“The era of web blackmailing, racket and chantage is about to start.”  

Europol reported that several millions of computers have been affected over the last two years, with discrete payment of bitcoin providing anonymity to the data kidnappers and some brand’s customer’s information worth between 50 cents and 2 euros on the blackmarket – ensuring a multi-million euro turnover.

What is Ransomware?

Ransomware encrypts data, servers, websites (using CryptoLocker ransomware) and demands money to decrypt them. Some simply lock the users system (using TOR network to hide C&C Communications via CTB Locker), but still attempt to extort the user in return for access for an amount that tends to increase with time.

Cyber criminals are launching attacks on both companies and individuals; encrypting people’s computers and asking them for payment of amounts ranging from $24 - $50,000. It can be downloaded through software, arrive as a payload, attachments with spam email.

Experts say the modus operandi of hackers using this form of Scareware is that they break into the server of the victim, overwrite backups with either encrypted data or blank data and at a later date returned to the server. When they return the back ups are obsolete, containing no workable data. The victim is then left with the ultimatum; to lose all their data or pay the ransom.

History of Ransomware.

This malware was initially limited to Russia, but due to its inevitable popularity and profitability to cyber-kidnappers, it quickly across Europe, and by 2012 it was being used on individuals and companies across Europe, US and Canada. By 2013, a new type of ransomware was appearing called CryptoLocker with the ability to encrypt files and not just lock an individual’s system.

This would ensure that victims would still pay up if malware deleted. Again, at the end of 2013, a variation of CyrptoLocker appeared called WORM_CRILOCK.A, with the ability to spread via removable drives.  Recently cyber-pirates have incorporated another degree of crime to this due to the availability of bitcoins; crypto-currency theft (via Bit Crypt.)

Last year, Dominos announced that more than 600,000 of their French and Belgian Customer records had been held ransom from their database. This data included names, addresses, phone numbers, e-mails, passwords…. even pizza preferences. The hackers held them for a ransom of $41,000 (31,000 euros), which Dominos were forced to hand over rather than pay a higher cost – of the integrity of its name and its customer’s information.

Experts claim the use of ransomware and kidnapping of data is on the rise due to the availability of crypto-currency like bitcoin; ensuring hackers can be paid without jeopardising their anonymity.


2015 began with the announcement by CEO of Swiss security firm High Tech Bridge that in December their security experts discovered the safety of the website of an undisclosed European financial services company had been compromised. Hackers had taken over the website server, encrypted data on it and demanded payment to unlock the files; the firm labelled the attack RansomWeb.

This attack began six months prior to the website shutting down by locking up the most critical data on the server using “on-the-fly” tweaks to the site’s PHP code functions, unknown to users of the website. The criminals stored the key to decrypt the data on their own remote web server accessible only via HTTPS encrypted communications, supposedly to guarantee that no one with visibility on those connections could get access to the data but them.

As soon as they pulled the key and data was no longer being silently encrypted and decrypted, the website was knocked out of action, at which point employees at the financial services firm were sent emails demanding the firm pay $50,000 to get their website back. They threatened to increase the price by 10 per cent with every passing week. As the company were able to recover the keys due to flaws in the hacker’s system the criminals failed in their efforts of extortion and were not paid.

In January, however, a different hacker crew launched a similar attack on another HTB customer, this time an SMB whose forum containing user’s passwords and emails were encrypted. The hackers asked for the relatively low amount of $1000 and so they believed they weren’t that sophisticated, although smart, but were able to recover the encryption key once again. Though the RansomWeb attacks are a fresh kind of assault on data, like Kolochenko, many experts have anticipated a technique like this.

Companies must weigh out the cost in suspending their website, encrypting or losing data - or  announcing its compromising position and losing customers, shareholders and more.

Data is a major corporate asset; valuable, assessable – and so a compromised database is the perfect hostage for these criminals. Many companies are likely to, if not already, refrain from reporting data breaches, as the cost of paying off hackers is marginal to the extent of damage. These hackers may also be operating for a multitude of reasons, and just wanting to extort business from a company; as even the hack of Sony Pictures in 2014 was believed to have started as a ransom attack.

How can WebPreserver help?

WebPreserver archiving, preserving and authenticating technology can assist Internet Regulators, companies and legal professionals alike in efforts to monitor online activity cyber crime, cyber scams and protect social media accounts from fraudsters.

Authenticating ESI - Rule 901a Collection of Legally Admissible Content

Serving a global client base of Law Firms, Investigators, eDiscovery Firms, Law Enforcement Agencies, Insurance Providers, and the legal counsel of corporations, WebPreserver Software Inc. is a privately-held firm that is owned and managed by a successful team of software veterans. Our aim is to make eDiscovery easy and efficient by providing the highest standards of admissible legal evidence, technology and customer satisfaction.

Contact us

500-311 Water St
Vancouver , BC , V6B 1B8


Do you have any questions?