After months of relative dormancy, ransomware CTB-Locker or Critroni is back and this time finding new life targeting websites. Researchers are calling this variant “CTB-Locker for Websites” because it targets websites, encrypts their content, and demands a 0.4 bitcoin ($425) ransom for access to the decryption key.
In a technical breakdown of “CTB-Locker for Websites”, Lawrence Abrams, a computer forensics expert and founder of BleepingComputer, writes attackers are hacking servers hosting websites and replacing the original index.php or index.html with a new index.php.
In a post Abrams writes the “new index.php will then be used to encrypt the site’s data using AES-256 encryption and to display a new home page that contains information on what has happened to the files and how to make a ransom payment.”
The CTB-Locker ransomware, which was prevalent in 2014, is now impacting over a hundred websites, Abrams estimates based on his own research. His security bulletin is based on the discovery of the “CTB-Locker for Websites” by a security researcher that goes by the name Benkow Wokned.
Today, CTB-Locker or Critroni infections are not nearly as prolific as other ransomware infections TeslaCrypt, CryptoWall, and Locky, Abrams said. With this latest variant of CTB-Locker, Abrams said, he doesn’t believe it will have nearly the same impact as its Windows equivalent. For the simple reason website files are backed up and can be easily restored, admins are more likely pass on paying the ransom, Abrams explains.
Abrams said that the vulnerability used to carry out the CTB-Locker for Websites infection is still an unknown. Abrams believes attackers are targeting vulnerable WordPress sites.
Once encrypted, websites display the message: “Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.”
One unique characteristic of the ransomware is the ability of the victim to decrypt two prechosen files for free. The ransomeware also gives victims the ability to swap messages with the ransomware attackers.
Researcher Benkow Wokned documented that the index.php page infected by CTB-Locker for Websites utilizes “jQuery.post()function to communicate and post data to the ransomware’s command and control servers,” Abrams wrote. The current C2 servers for CTB-Locker for Websites are http://erdeni.ru/access.php, http://studiogreystar.com/access.php, and http://a1hose.com/access.php.