ASP.NET hosting provider recovering from ransomware attack

SmarterASP.NET – a provider that hosts Microsoft’s ASP.NET open-source web framework and reportedly has more than 440,000 customers – suffered a ransomware attack on Saturday.

SmarterASP.NET was blunt in a status update on Monday titled:

Your hosting accounts are under attack

This wasn’t a partial paralysis. The provider advised customers that all data had been encrypted and that it was working with security experts to try to decrypt it, as well as making sure that “this would never happen again.”

Please don’t email us, the company asked, saying that it was (understandably!) being flooded by emails and that it doesn’t employ enough people to answer them all. It directed customers to its Facebook page for updates.

As of Monday morning, the provider said that it had fully restored FTP and control panel services – though, going by comments on its Facebook post, it sounds like the company’s stressed-out servers were still giving off a miasma of 503 Service Unavailable error messages.

In that post, the company warned customers not to download encrypted files. “If you still see encrypted files, we will get to it soon,” SmarterASP.NET said. The malware encrypted customers’ web hosting accounts, from which they access servers that may contain the files and data they need to run their sites. Thus, it’s not just the SmarterASP.NET customers that lost all their data: it’s also their websites that were affected.

SmarterASP.NET’s website was also temporarily knocked offline by the attack, but it was reportedly back online as of Sunday morning.

OK, said one commenter, all my files have extension .kjhbx… are they still encrypted?

The answer, at least at that point, was yes. The extension is the fingerprint of this particular flavor of ransomware. SmarterASP.net got hit with what ZDNet identified as a variant of the Snatch ransomware. The variant encrypts files with a .kjhbx file extension, as shown by screenshots shared on Twitter, one of which is of the extortionist’s note, the other of which shows a list of encrypted files.

On Monday, two hours after the company posted its Facebook message about its restored control and FTP services, it posted a status update saying that it was 95% back up, with some affected accounts still being decrypted. The ransomware-flustered company begged customers to please hold tight:

They WILL BE decrypted so don’t worry. Please don’t submit requests here.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate limiting, 2FA or a VPN if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

Can you be hit by someone else’s ransomware?

(Watch directly on YouTube if the video won’t play here.)