Ransomware, just like any other cyber threat, is constantly evolving and adding new features to its set of capabilities. Ransomware affiliate programs are also a big factor, as any wannabe cyber criminal with basic skills can now join and make some (ransom) money.
|Short Description||CTB-Locker’s most recent variant targets web servers.|
|Symptoms||Part of the attack is website defacement. The website’s interface is replaced by what appears to be a ransom message with instructions.|
|Distribution Method||Quite likely – exploiting WordPress vulnerabilities; third-party WordPress plugins; spam emails.|
|Detection Tool||Download Malware Removal Tool, to See If Your System Has Been Affected by CTB-Locker|
|User Experience||Join our forum to discuss CTB-Locker.|
Sometimes, it’s quite obvious for cyber researchers that the particular ransomware was made by ‘beginners’ or ‘amateurs’. And such cases usually end up with decryption software released and available for victims to restore their files. However, in other instances, the ransomware endures.
CTB-Locker, or Onion, is a perfect example of malicious coders that never give up and seek new ways to reinvent their ransomware. Considering its high infection rates and overall destructiveness, CTB-Locker was even named one of the top ransomware families of 2015. In 2016, CTB-Locker continues to be a player, with a new variant just released in the wild.
What’s New in CTB-Locker’s New Variant?
Essentially, the latest variant of the infamous ransomware targets exclusively web servers. According to researchers at Kaspersky Lab, more than 70 servers (possibly even more) in 10 countries have already been attacked successfully. Fortunately, Kaspersky researchers were able to conduct a detailed technical analysis as several victims contacted them and sent them the ‘cryptors’ that compromised their web servers.
CTB-Locker Server Edition: Technical Resume
The ransom demanded by the new variant is approximately $150, or less than a half bitcoin. However, if the ransom payment is not transferred on time, the sum is doubled to $300. Once the payment is finalized, the decryption key is generated and can be used to restore the server’s files.
Researchers were able to discover that the infection process took place because of security holes in the victims’ web servers. Once the vulnerabilities in question are exploited, the website is defaced.
What is website defacement?
Shortly, website defacement is a type of attack that changes the website’s interface. Attackers usually break into a web server and replace the hosted website with their own website (via Wikipedia). Researchers have concluded that most of the recent defacement attacks are not random but may have political or cultural motives.
As for the ransom message dropped by the server variant of CTB-Locker a.k.a. the website version of CTB-Locker, it is a detailed one that provides some interesting facts:
As visible, the website defacement is the ransom note itself. The original code is not deleted and is stored in an encrypted state on the web root. Its name is changed as well.
The exact security hole that initiates the attack on the victims’ web servers is not yet discovered. However, many of the attacks on the servers have one thing in common – WordPress.
It’s not a secret to anyone that WordPress websites that run outdated versions of the platform are full of vulnerabilities. In addition, WordPress has another weak spot – plugins. Using third-party, suspicious plugins put web servers at risk of various attacks and intrusions.
More on the Topic: TeslaCrypt Spreading via Compromised WordPress Websites
Once the vulnerability is located and exploited, and the ransomware operator is inside WordPress, the main website file is replaced and the encryption process is initiated. Then, the main file is renamed, encrypted and saved. Researchers were able to identify that two different AES-256 keys are used in the attacks.
1. create_aes_cipher($keytest) – encrypts the two files which can be decrypted free.
2. create_aes_cipher($keypass) – encrypts the rest of the files hosted on the server web root.
Another peculiar feature present in the server edition of CTB-Locker is that the ransomware operators will decrypt two files for free. However, the victim doesn’t have the option to choose the files for decryption. A chat room for communication with the malicious operators is also available.
Ransomware Removal Manual and Data Backup Tips
For more technical details about the attack, visit Kaspersky Lab.
As with all ransomware cases, security experts’ advice is backing up all important data, not opening suspicious, unexpected emails, and not using third-party software. Or in the case of WordPress – plugins.
If you have been attacked by this particular variant of CTB-Locker, or another currently active ransomware, you can follow the steps below the article.