SmarterASP.NET, an ASP.NET hosting provider was hit yesterday by ransomware. The company is the third major web hosting firm this year that went down because hackers breached their network and encrypted data on customer servers. Hackers have succeeded in penetrating the hosters’ network and encrypting the data on customer servers. According to Catalin Cimpanu, the company is working to restore customers’ servers. It is unclear whether the company has paid the ransom or whether it is restoring from backups.
Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion, in which it encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as Ukash or Bitcoin and other cryptocurrency are used for the ransoms, making tracing and prosecuting the perpetrators difficult.
The company later confirmed that it was hit by a ransomware attack. In a message posted on its website, the company said that its security teams were working to decrypt customers’ data and to ensure that such incident are not repeated.
“Your hosting account was under attack and hackers have encrypted all your data,” the company said in its message.
“We are now working with security experts to try to decrypt your data and also to make sure this would never happen again,” it added.
The attack also affected the website of SmarterASP.NET, which remained inaccessible for the entire day on Saturday. It was up online on Sunday morning.
While the company is currently working to recover customers’ servers, majority of customers don’t have access to their data yet. Those who were able to access their accounts found their data, including website files and backend databases, in encrypted form.
According to screenshots posted on Twitter, all customer files have been encrypted by a ransomware strain that appends the “.kjhbx” file extension to each file it encrypts. ZDNet is still working to identify the ransomware strain.
The website of SmarterASP.NET is currently available and I did not find any hints on Ransomware on the status page. But on Twitter on November 9, 2019 there were already reports that the websites was down.
A user received an e-mail, where the attack has been confirmed. According to the ZDNet article, the attack not only affected customer data on the servers, but also SmarterASP.NET itself. According to ZDNET, the company’s website was unavailable all day on Saturday. In the meantime, however, the website has been available again since Sunday morning. Some users use SmarterASP.NET as a backup for their data. This data should now be encrypted. In the article screenshots of files are posted, which should occupy the encryption.