RansomWeb That Makes Server DB Data Hostage By Encoding It Lands In Korea

Aug 17, 2015

#A Developer’s web and file servers were attacked by RansomWebs, and its data within servers became encoded and it is going through difficulties on its business. Homepage server of B Company was also infected with RansomWeb and its homepage service was stopped.

RansomWeb, which encodes database (DB) that was saved in web server and asks money by holding it as a hostage, landed in Korea. It is an evolved form of Ransomwares that hold PC data as a hostage.

Innotium (CEO Lee Hyung Taek) Ransomware Intrusion Correspondent Center issued an emergency order after new RansomWeb, which started attacking Korean server DBs in early August, expanded. Although previous Ransomwares only encoded PC data, RansomWebs afflict serious damage by stopping web servers and business services eventually. About 30 places received damages from RansomWebs already.

Unlike Ransomwares that infect e-mails or certain sites, RansomWebs start by hacking into web servers. Invader then obtains right by hacking into web servers and controls servers secretely from an administrator. Instead of using previous encoded methods, invader changes a method to his or her own. Original server administrator then cannot provide normal services because he or she cannot gain access to DB data.

After encoding sever DBs, invader sends an e-mail and demands Bitcoin.

Invader requests money after encoding server DB and holding it as a hostage. <Invader requests money after encoding server DB and holding it as a hostage.>

Korean servers that are currently infected use FTP and IIS as their base ports, and PCs and server log-in accounts are identical. Because remote desktop service became vitalized and Korean servers use official IPs, access from outside sources were made possible.

To be protected from RansomWebs, one needs to remove Window operating scheduler that hackers registered into. One also needs to forcefully close system if PCs or servers slow down more than 5 to 10 minutes without any reasons. Finally one also needs to copy non-infected data by moving separated disk to different device and strengthen passwords and servers’ access accounts.

“RansomWebs that used to be found in foreign countries are now introduced in Korea and are spreading their damages. It seems that it is a deviated version from Asian countries because e-mails from invaders contain poor English expression and wrong grammatical errors. One can reduce damage by setting up server system log-in and service account differently and blocking all unnecessary ports.” said CEO Lee Hyung Taek of Innotium.

Staff Reporter Kim, Insoon | insoon@etnews.com

Interpretation & Translation_Service Center

Refund Help Center