A new malicious program has surfaced, indicating a new trend in ransomware development that has already seen a resurgence in 2016. CTB-Locker, has been attacking files on web servers, infecting at least 100 websites over the past several weeks.
Also known as Critroni, the ransomware operates similar to traditional attacks wherein it encrypts a user’s files and delivers an ultimatum; pay a fee to decrypt and return your data, or consider it gone. In the case of CTB-Locker, which is a PHP program – a server-side web development, the attacker specifically targets a website.
Once installed on a web server, CTB-Locker locates the website’s index.php and replaces it with a directory called Crypt, that contains additional PHP files. From there, Crypt will receive a request from the attacker, directing it to encrypt all the files. When the encryption is complete, the website’s homepage will display a message, demanding that a payment be made, typically in Bitcoin.
One of these attacks, reported on February 12, 2016 was against the British Association for Counselling and Psychotherapy. It was unclear at first whether or not the attack was real, or an attempt to scare the website owners, as CTB-Locker, then known as Critroni, was a Windows based ransomware.
Researchers from Stormshield have obtained a full copy of the malicious code from another affected site. “The infected hosts run both Linux and Windows, and the majority of them (73%) host an Exim service (SMTP),” according to Stormshield’s blog. “Some of them are vulnerable to ShellShock, but without a deep access on victims’ servers, it is difficult to understand how this ransomware infected hosts.”
If you are a website owner, particularly if you are using WordPress, we recommend you ensure that you are operating on the latest version. The majority of the sites that were targeted, have been poorly managed, and were using outdated versions of WordPress or had installed vulnerable plug-ins.
While CTB-Locker is unusual in the sense that it attacks websites instead of systems, ransomware has certainly paved a path in 2016. We have already seen several cases of infections over the last few weeks, in particular Hollywood Presbyterian Medical Center, that ended up paying $17,000 to have their data released.
Best practices to follow would be to ensure anti-virus is actively running on your device and to keep it up to date. Always update websites and applications to their latest versions, being aware of vendor patches – and always back up your data to a secure external hard drive.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.