CTB Locker ransomware now also encrypts websites

The well-known crypto ransomware CTB Locker is back. After a considerable slowdown in distribution, it is being pushed onto users again, and this time its executable has been signed with a stolen certificate.

But what is even more interesting is that there is a new variant of the malware, and this one targets websites instead of Windows workstations.

CTB Locker for websites

According to a security researcher that goes by the online handle Benkow, at least 102 websites have already been infected, and the infection campaign bates back to February 12.

“Websites become infected by the ransomware developers hacking the site and replacing the original index.php or index.html with a new index.php. This new index.php will then be used to encrypt the site’s data using AES-256 encryption and to display a new home page that contains information on what has happened to the files and how to make a ransom payment,” Bleeping Computer’s Lawrence Abrams explains.

The malware encrypts all files located in the server – two random files with one key, and the rest with another. This is because the criminals behind the malware offer to decrypt the two random files for free, as a show of good faith.

The malware also offers the option to chat with the criminals, if the victim wants to ask questions or get help to pay the asked-for ransom (0.8 Bitcoin).

Benkow couldn’t pinpoint how the victim websites get infected, but offered some details about the servers hosting them: “Based on the fact that a lot of victims do not have a dynamic website or a CMS, it is difficult to say if the malware uses a well-known vulnerability. The infected hosts run both Linux and Windows and the majority of them (73%) host an Exim service (SMTP server). Most of them run a password-protected webshell accessible through the ‘logout.php’ dynamic page. Some of them are vulnerable to shellshock, but without a deep access on victims’ servers, it is difficult to understand how this ransomware infected hosts.”

Abrams posits that the attackers are targeting vulnerable WordPress sites.

As with most crypto ransomware, the only sure way to avoid paying the ransom is to have up-to-date backups.