starbuck Posted February 25, 2016 Posted February 25, 2016 After months of relative dormancy, ransomware CTB-Locker or Critroni is back and this time finding new life targeting websites. Researchers are calling this variant “CTB-Locker for Websites” because it targets websites, encrypts their content, and demands a 0.4 bitcoin ($425) ransom for access to the decryption key. In a technical breakdown of “CTB-Locker for Websites”, Lawrence Abrams, a computer forensics expert and founder of BleepingComputer, writes attackers are hacking servers hosting websites and replacing the original index.php or index.html with a new index.php. In a post Abrams writes the “new index.php will then be used to encrypt the site’s data using AES-256 encryption and to display a new home page that contains information on what has happened to the files and how to make a ransom payment.” The CTB-Locker ransomware, which was prevalent in 2014, is now impacting over a hundred websites, Abrams estimates based on his own research. His security bulletin is based on the discovery of the “CTB-Locker for Websites” by a security researcher that goes by the name Benkow Wokned. Today, CTB-Locker or Critroni infections are not nearly as prolific as other ransomware infections TeslaCrypt, CryptoWall, and Locky, Abrams said. With this latest variant of CTB-Locker, Abrams said, he doesn’t believe it will have nearly the same impact as its Windows equivalent. For the simple reason website files are backed up and can be easily restored, admins are more likely pass on paying the ransom, Abrams explains. Abrams said that the vulnerability used to carry out the CTB-Locker for Websites infection is still an unknown. Abrams believes attackers are targeting vulnerable WordPress sites. Once encrypted, websites display the message: Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site. One unique characteristic of the ransomware is the ability of the victim to decrypt two prechosen files for free. The ransomeware also gives victims the ability to swap messages with the ransomware attackers. Source: https://threatpost.com/ctb-lockercritroni-finds-new-legs-targeting-websites/116457/ http://www.bleepingcomputer.com/news/security/ctb-locker-for-websites-reinventing-an-old-ransomware/ Quote
DSTM Posted February 25, 2016 Posted February 25, 2016 Thanks Pete. All the more reason to have a cloned copy of your OS, which is not connected to your PC. Quote Roses are red, violets are blue, I'm Schizophrenic, and so am I Free Photo Restoration and Repair for all Forum members - CLICK HERE Please pop back and let us know if your Computer problem has been solved.
FPCH Staff Tony D Posted February 25, 2016 FPCH Staff Posted February 25, 2016 I think as the author mentioned, this won't have a large impact. Don't most webmaster create their websites on a local machine and then ftp the files to the host server? If so, once a site is encrypted, the webmaster has to merely ftp the local files back to the host. Is this thinking correct? Quote
Recommended Posts