Skip to content or view screen version

CTB Locker targets websites along with computers

Gershwin | 10.05.2016 15:55

It has been almost two years since the nasty CTB Locker file-encrypting Trojan first got into the limelight. Not only has it stayed one of the top ransomware threats over this time, but it’s also changing its modus operandi and invading new niches.

The original edition contaminated Windows machines chiefly over self-extracting ZIP archives attached to phishing emails, then encrypted the victim’s personal files with Elliptic Curve Cryptography, and demanded a ransom of 0.2 Bitcoin for data decryption. Whereas this version is still around without tangible modifications in place, the ransomware operators have also started attacking websites.

According to recent reports, the perpetrators have devised a variant of CTB Locker that compromises web pages. These are mostly sites built with WordPress, an open-source platform enjoying popularity with webmasters. In the course of the attack, the infection replaces the index.php file of the target site with a malicious namesake. This allows the ransomware to encrypt all website data with AES-256, a symmetric algorithm that’s extremely difficult to crack unless the bad guys implement it incorrectly.

The criminals set a script displaying ransom instructions instead of the actual homepage. While enabling the site admins to recover two files for free, it will cost them 0.4 Bitcoin, or about 200 USD, to decrypt the rest. Considering the growth of such attacks, webmasters running WordPress sites are strongly recommended to keep their CMS version up to date to prevent their content from being ciphered this way. Also, regularly backing up website content is a great measure to mitigate the damage.

The Windows version of CTB Locker, in its turn, is mutating as well. The newer editions are signed with a pilfered digital certificate. Not only does this keep antivirus suites from identifying the ransomware, but it also adds a hue of legitimacy to the offending program. All in all, this crypto malware poses a serious challenge to users who are pretty much helpless unless they keep data backups outside the computer. Aside from that, CTB Locker victims can leverage the Volume Shadow Copy Service to get their files back and also give specially crafted recovery tools a shot. More info:  http://bravoteam.it/guide/ctb-locker

Gershwin