CTB-Locker Ransomware is Spreading Rapidly, Infects Thousands of Web Servers

CTB-Locker Ransomware is Spreading Rapidly, Infects Thousands of Web Servers

We all know Ransomware is the most dreadful malware program. CTB-Locker Ransomware is one of the popular member of the Ransomware program. Till date we know that Ransomware usually target PCs like Windows, Mac but now it CTB-Locker Ransomware is spreading rapidly, infects thousands of web servers. This very newly detected ransomware dubbed “CTB-Locker for Websites” hijacks the websites. It locks up its data, and ask to make payment of 0.4 BTC to get decryption keys to decrypt your keys. Never before, it has been heard that ransomware has targeted Website..It’s the first time that comes to hear.

Reference:- https://www.linkedin.com/pulse/ctb-locker-ransomware-spreading-rapidly-infects-thousands-sankar

How CTB-Locker for Websites Ransomware Works

CTB-Locker ransomware is very nasty malware which soon after infecting your website replaces the index page (which is the original index.php or index.html) of the servers hosting websites with that very attacker’s defacement page (can say new affected index.php). After that it will displays a message to site owner that their file has been encrypted and you need to pay ransom amount. More worse, it fix time and continues to threatens owner to pay a ransom before the given deadline.

CTB-Locker Ransomware is Spreading Rapidly, Infects Thousands of Web Servers

Usually the message which given are as follow:-

“Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.”

Additionally, the message too helps the victims to follow the steps to make payment.

XYZ é o programa de ransomware altamente danagerous. Ao olhar para o tópico para remover vírus do website I COM através de um fórum onde um usuário postou que o seu sistema é infectado com o programa XYZ. Reallt, é terrível, mas ao mesmo lugar eu achei melhor solução para se livrar dele.

As soon as the CTB-Locker Ransomware gain control over website, cyber criminals or creators of ransomware program submits two different AES-256 decryption keys to the affected index.php. The first key used to decrypt any 2 random files from the locked files for free which would you see under the name of “test” . This is done to lures victims that Key works. Once after the website administrator enters the filename and hit “Decrypt for Free,” it’ll decrypt any 2 random files and will display ‘Congratulations! TEST FILES WAS DECRYPTED!!’ message onto PC screen. And the another key only works after you pay the demanded amount.

CTB Locker for Website → Modifies Packages in the Server

CTB-Locker Ransomware is Spreading Rapidly, Infects Thousands of Web Servers

  • index.php : It’s the main component of CTB-Locker for Websites which contains encryption and decryption routines and too payment page details.
  • allenc.txt : It would contains list of all encrypted files.
  • test.txt : It contain the path and filenames to two pre chosen files that would be decrypted for free.
  • victims.txt : It would contains a list of all files that are to be encrypted. Already encrypted files are too presence.
  • extensions.txt – Here’s a list of file extensions that should be encrypted.
  • secret_[site_specific_string] : It’s the file used by the Free Decrypt and Chat functions that is located in the same folder as the index.php file.

Source:- http://thehackernews.com/2016/02/ctb-locker-ransomware.html

Websites that once gets infected can badly affected. Especially, if you are dealing with E-commerce then Website infection with malware like this is just nightmare. So, you should always take proper care and precaution to protect your website from malware attack.

CTB-Locker Ransomware is Spreading Rapidly, Infects Thousands of Web Servers

Leave a Reply

Your email address will not be published. Required fields are marked *