CTB-Locker for Websites is spreading in the wild

Pierluigi Paganini February 28, 2016

The experts at BleepingComputer reported a new strain of CTB-Locker for Websites, a new ransomware that mainly targets WordPress sites.

Ransomware continues to threaten users worldwide, today we discussed German Hospitals paralyzed by the malware.  TeslaCryptCryptowall and Locky are the names of the most popular ransomware that already infected millions machines worldwide.

The experts at BleepingComputer reported a new strain of malware belonging to the family of CTB-Locker Ransomware (aka Critroni) that implements features to target websites and request a payment of 0.4 BTC to restore encrypted data. If victims don’t pay within a timeslot the ransom amount increase to 0.8 BTC.

“This is a big month for CTB Locker as they have reinvented themselves by releasing a new variant that I have dubbed “CTB-Locker for Websites” that only targets and encrypts websites. Furthermore, this month CTB-Locker for Windows has also seen an increased distribution, but is still not nearly as active as other ransomware infections such as TeslaCrypt, CryptoWall, and Locky. ” states a post published on BleepingComputer.

The CTB-Locker for Websites is the first variant of ransomware that defaces a website to convince victims to pay the ransom.

The authors of the new CTB Locker allow administrators operating the infected websites to unlock for free two files chosen by the random generator as a proof of decryption key works.

The CTB-Locker for Websites operates replacing the original index page with a defacement page that informs site owners of the infection and provided step-by-step instructions to pay the ransom.

The malware encrypts almost all types of file extensions using the AES-256 algorithm, it also generates a unique ID for each infected website.

“Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.” states the message on the defaced page.

Once the ransomware gains the website control it submits two different AES-256 decryption keys to the affected index.php.

CTB-Locker for Websites

Source – BleepingComputer

A first key would be used to decrypt any 2 random files for free under the name of “test.

“In order to decrypt the two free files you need to enter the filename that starts with secret_ and is located in the same folder as the index.php file.  Once you enter that file and click on the Decrypt it free button, the script will use Jquery to send a request for the test decryption key to one of the Command & Control servers. When the key is received it will decrypt the two files and print Congratulations! TEST FILES WAS DECRYPTED!! to the screen.”

The second decryption key would be the one to use to decrypt the remaining files once the victim has paid the ransomware.

Another feature implemented by the author of the CTB-Locker for Websites is a feature that allows victims to exchange messages with the crooks behind the ransomware.

CTB-Locker for Websites 2

The researcher Benkow Wokned (@benkow) that discovered CTB-Locker for Website analyzed the jQuery.post() used by the malware to contact the Command and Control (C&C) servers.

Below the list of the Command and Control servers used by this version of CTB-Locker for Websites:

  • http://erdeni.ru/access.php
  • http://studiogreystar.com/access.php
  • http://a1hose.com/access.php
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CBT-Locker, Ransomware)

[adrotate banner=”5″]

[adrotate banner=”12″]



you might also like

leave a comment