CTB-Locker for Websites is spreading in the wild

The CTB-Locker for Websites operates replacing the original index page with a defacement page that informs site owners of the infection and provided step-by-step instructions to pay the ransom.

“Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site.” states the message on the defaced page.

Once the ransomware gains the website control it submits two different AES-256 decryption keys to the affected index.php.

A first key would be used to decrypt any 2 random files for free under the name of “test.”

“In order to decrypt the two free files you need to enter the filename that starts with secret_ and is located in the same folder as the index.php file.  Once you enter that file and click on the Decrypt it free button, the script will use Jquery to send a request for the test decryption key to one of the Command & Control servers. When the key is received it will decrypt the two files and print Congratulations! TEST FILES WAS DECRYPTED!! to the screen.”

The second decryption key would be the one to use to decrypt the remaining files once the victim has paid the ransomware.

Another feature implemented by the author of the CTB-Locker for Websites is a feature that allows victims to exchange messages with the crooks behind the ransomware.

The researcher Benkow Wokned (@benkow) that discovered CTB-Locker for Website analyzed the jQuery.post() used by the malware to contact the Command and Control (C&C) servers.

Below the list of the Command and Control servers used by this version of CTB-Locker for Websites:

• http://erdeni.ru/access.php
• http://studiogreystar.com/access.php
• http://a1hose.com/access.php

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CBT-Locker, Ransomware)

[adrotate banner=”5″]

[adrotate banner=”12″]