Ransomware Attack Jumps from PC to Websites

The past few weeks, reports of encrypted files on Web servers affecting at least 100 websites alerted us of a ransomware development. This dates back to February 13, when the defaced British Association for Counseling & Psychotherapy heralded a reinvented ransomware variant that has evolved from infecting desktop computers to terrorizing websites.  

The ransomware variant, CTB-Locker, is coded in PHP and is encrypting files on WordPress-run sites. This then replaces the index.php with a file that is capable of defacing the website to display a ransom note. Interestingly, a chat room support feature was made available where a correspondence among the victims and data kidnappers can be conducted.

Security researcher Lawrence Abrams calls the ransomware CTB-Locker for Websites and shares in his findings, “Once the developer (attacker) has access to a site, they rename the existing index.php or index.html to original_index.php or original_index.html. They then upload a new index.php that was created by the developer that performs the encryption, decryption, and displays the ransom note for the hacked site. It should be noted that if the website does not utilize PHP, CTB-Locker for Websites will not be able to function.”

From the first reported incident involving the ransomware variant, the dilemma was whether the attack was to be declared a ransomware attack or if it was simply staged to incite fear among the owners of the targeted website. Researchers then obtained a full copy of the malicious code from one of the affected websites and found that at least 102 websites have been infected so far.

As of now, there are no clear indications divulged on how the perpetrators behind the ransomware have managed to inject and install the malware onto the websites. Security experts ruled out putting the blame on a WordPress vulnerability as a number of the affected sites do not use a CMS. They report, "The infected hosts run both Linux and Windows and the majority of them (73%) host an Exim service (SMTP server).”

Researchers added that most of the affected websites possess a password-protected Web shell, which means attackers have installed this backdoor program onto Web servers they have illegally accessed. It was also raised that most of the websites that are victimized remain susceptible to Shellshock, even after it was patched over a year ago. This goes to show that the infected websites were not properly managed and maintained by their owners, shown by the failure to install updated software.

As of this writing, no tool exists to decrypt files belonging to victims. However, two separately-encrypted files can be decrypted without any charges to show that the ransom should be taken seriously.

This isn’t the first time that a ransomware variant targeted websites. Last November, Linux.Encoder.1 threatened to do just the same. But a cryptographic flaw caused it to immediately be countered as researchers were able to concoct a tool to decrypt it. This may essentially be the proponent for the attackers’ attempt to replicate the same tactic, only better. That said, this may be the dawn of another type of notorious ransomware variant that users should be wary of in the coming months.