SmarterASP.NET – a provider that hosts Microsoft’s ASP.NET web framework and reportedly has more than 440,000 customers – suffered a ransomware attack on Saturday.

SmarterASP.NET was blunt in a status update on Monday titled:

“Your hosting accounts are under attack”.

SmarterASP.NET’s website was also temporarily knocked offline by the attack, but it was reportedly back online as of Sunday morning. Apparently, they got hit with a variant of the Snatch ransomware which encrypts files with a. kjhbx file extension.

The provider advised customers that all data had been encrypted and that it was working with security experts to try to decrypt it; please don’t email us, the company asked, saying that it was being flooded by emails and that it doesn’t employ enough people to answer them all. It directed customers to its Facebook page for updates.

The company warned customers not to download encrypted files. “If you still see encrypted files, we will get to it soon,” SmarterASP.NET said. The malware encrypted customers’ web hosting accounts, from which they access servers that may contain the files and data they need to run their sites. Thus, it’s not just the SmarterASP.NET customers that lost all their data: it’s also their websites that were affected.

On Monday, two hours after the company posted its Facebook message about its restored control and FTP services, it posted a status update saying that it was 95% back up, with some affected accounts still being decrypted. The ransomware-flustered company begged customers to please hold tight:

They WILL BE decrypted so don’t worry. Please don’t submit requests here.

Two very important notes need to be mentioned in regards to this story.

1-     The first is how people started being affected by the ransomware without being infected themselves. As mentioned in the press release of the victim company, their customers got infected because they kept their files, naturally, but also their customers’ customers were being in danger of downloading infected files from websites they were on.

Websites always download files to your machines, whether it be cookies that keep you logged in on your favorite social media (for example) or software that runs in the background to deliver those occasional news pop-ups (among other things) … So, what if the host gets infected… what is that website downloading to your computers then? And how will you even know?

2-     How did they come back up so fast while other victims of ransomware had to pay hundreds of thousands of dollars in ransom such as Lake City, Florida or Atlanta, Georgia?

Apparently, they had deployed next-generation endpoint protection that would have kept “clean” versions of their systems in memory; making it possible to simply revert the encryption and restore their files and systems operations in such a record time.

The use of next-generation protection is critical these days, especially facing a ransomware attack. What usually makes your computer a very expansive paperweight and shuts down your operation – possibly even causing bankruptcy – becomes a nuisance that you can recover from within a few hours. Not your ideal Monday morning, but definitely better than the alternative!

How to protect yourself from ransomware

Pick strong passwords. And don’t re-use passwords, ever.

Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.

Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.

Lockdown RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off RDP if you don’t need it, and use rate-limiting, 2FA or a VPN if you decide to use RDP.

Use anti-ransomware protection.

Please reach out if you need any further assistance, we will always be happy to provide free and comprehensive advice.