Despite its absence over the past months, CTB-Locker or Critroni ransomware is back now, aiming at new life targeting websites. Security researchers named this type of ransomeware “CTB-Locker for Websites”, due to the fact that it targets websites, encrypts their content, and demands a 0.4 bitcoin ransom for access to the decryption key.
The computer forensics expert L. Abrams writes that in a technical breakdown of “CTB-Locker for Websites”, cyber criminals are hacking servers hosting websites and replacing the original index.php or index.html with a new index.php.
Abrams also claims that the “new index.php will then be used to encrypt the site’s data using AES-256 encryption and to display a new home page that contains information on what has happened to the files and how to make a ransom payment.”
CTB-Locker ransomware was prevalent in 2014, and currently it is affecting over a hundred websites. According to Abrams, the CTB-Locker or Critroni infections are not as prolific as other ransomware infections, such as TeslaCrypt, CryptoWall, and Locky.
Considering the above-mentioned, Abrams said that with this latest variant of CTB-Locker, he doesn’t believe it will have the same impact as its Windows equivalent. In addition, Abrams claims that for the simple reason website files are backed up and can be easily restored, admins are more likely pass on paying the ransom.
According to Abrams, the vulnerability used to carry out the CTB-Locker for Websites infection is still an unknown. Nevertheless, he believes the attackers are targeting vulnerable WordPress websites.
After being encrypted, websites display the message: “Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.”
Among the unique characteristics of the ransomware is the ability of the victim to decrypt two pre-chosen files for free. Also, the ransomware offers victims the ability to swap messages with the cyber criminals.
The researcher Benkow Wokned reported that the index.php page infected by CTB-Locker for Websites utilizes “jQuery.post()function to communicate and post data to the ransomware’s command and control servers.”
The current C2 servers for CTB-Locker for Websites are:
- http://erdeni.ru/access.php
- http://studiogreystar.com/access.php
- http://a1hose.com/access.php
A complete list of known C2 servers can be found here: https://github.com/eyecatchup/Critroni-php
Thank you for this information, Stephan!