SmarterASP.NET, an ASP.NET hosting provider with more than 440,000 customers, was hit yesterday by ransomware.
The company is the third major web hosting firm this year that went down because hackers breached their network and encrypted data on customer servers.
At the time of writing, SmarterASP.NET said it’s working to restore customers’ servers. It is unclear if the company paid the ransom demand, or is restoring from backups.
A phone call to SmarterASP.NET was not returned. The company’s phone line was down, citing an influx of calls. In a status message posted on its website, the company admitted to the hack.
“Your hosting account was under attack and hackers have encrypted all your data,” the message said. “We are now working with security experts to try to decrypt your data and also to make sure this would never happen again.”
Attack happened on Saturday
The attack didn’t just hit customer data, but also SmarterASP.NET itself. The company’s website was down all day on Saturday, coming back online earlier today on Sunday morning.
Server recovery efforts are going slow. Many customers still don’t have access to their accounts and data. Those who do say their data is still encrypted, including website files but also backend databases.
While most users where using SmarterASP.NET for hosting ASP.NET sites, some were using the company’s serves as app backends, where they were synchronizing or backing up important data. The fact that backend databases have also been hit, and not just public-facing web servers, has prevented many from moving impacted services to alternative IT infrastructure.
According to screenshots posted on Twitter, all customer files have been encrypted by a ransomware strain that appends the “.kjhbx” file extension to each file it encrypts. ZDNet is still working to identify the ransomware strain.
SmarterASP.NET is the third hosting provider that was hit this year. The first was A2 Hosting in May. A2, a well-known provider of Windows Servers, had servers in Asia and North America encrypted by a version of the GlobeImposter 2.0 ransomware strain.
The second web hosting provider hit this year was iNSYNQ, a cloud computing provider of virtual desktop environments. The company was infected in mid-July by a version of the MegaCortex ransomware.
Both A2 and iNSYNQ took weeks to restore and fully recover customer data. Due to the sheer size of its customer base, SmarterASP.NET seems to be on point for a similar recovery timeline.
It should be no surprise that ransomware gangs are looking to infect web hosting providers. To this day, the largest ransomware payment ever made came from a web hosting provider.
This “honor” goes to South Korean web hosting firm Internet Nayana, which paid 1.3 billion won ($1.14 million) worth of bitcoins to a hacker following a ransomware incident in June 2017.