Cyber Incident Victim: SmarterASP.NET
Date:
Nov 2019
Location:
United States of America
Summary
A major ASP.NET hosting provider with over 440,000 customers suffered a ransomware attack impacting both customer accounts and its own infrastructure, causing extended downtime and data encryption. The Snatch ransomware variant encrypted files with a ".kjhbx" extension, affecting public-facing websites and critical backend databases, hindering customers' ability to migrate services. Recovery efforts proceeded slowly amid high call volumes and limited access, with the provider collaborating with security experts to decrypt data while pledging future safeguards. This incident marked the third ransomware attack against a hosting provider that year, following similar prolonged recoveries at other companies, suggesting comparable restoration challenges due to the scale of affected systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack on SmarterASP.NET occurred over the weekend of November 8-10, 2019, impacting the ASP.NET hosting provider and its approximately 440,000 customers. Attackers deployed a variant of Snatch ransomware that encrypted customer files with a ".kjhbx" extension, affecting both public-facing web servers and backend databases. The compromise rendered customer data inaccessible, including website files and database content critical for application backends and synchronization services. SmarterASP.NET's own infrastructure was compromised, with its primary website remaining offline throughout Saturday before partial restoration on Sunday morning. The company publicly acknowledged the attack through a status page message, confirming that hackers had encrypted all customer data and stating they were collaborating with security experts to attempt decryption. No information was disclosed regarding ransom payment or backup restoration strategies during the initial response phase.
Recovery efforts progressed slowly, with numerous customers reporting continued lack of access to their accounts and encrypted data days after the attack began. The encryption of backend databases proved particularly disruptive, preventing customers from migrating affected services to alternative infrastructure. SmarterASP.NET experienced severe communication challenges, with phone systems overwhelmed by call volume and remaining non-responsive. The incident marked the third major ransomware attack against a hosting provider in 2019, following A2 Hosting's compromise by GlobeImposter 2.0 ransomware in May and iNSYNQ's infection by MegaCortex ransomware in July. Both previous incidents required weeks for full customer data restoration, suggesting a comparable recovery timeline for SmarterASP.NET given its substantially larger customer base. The company committed to implementing measures to prevent future attacks but provided no technical specifics regarding containment procedures or decryption progress at the time of reporting.