Get ready for another EDA2 & Hidden Tear disaster

Mar 1, 2016 10:17 GMT  ·  By

Just before Valentine's Day, a British webmaster had the unpleasant surprise of finding out that his website was defaced with a message that was awfully similar to what ransomware infections show to their (desktop) victims.

In what proved to be the first incident of a ransomware specifically going after a website, the incident made headlines, as server administrators started hoping this was only a one-time event, and not something that was part of a bigger campaign.

While in the beginning no other infections appeared, this changed during the past week, with another 100+ incidents popping up around the Web.

The ransomware was showing a ransom note that was modeled after the more famous CTB-Locker. Technically, this wasn't CTB-Locker, which was made to run on Windows desktop environments, not on Linux Web servers.

CTB-Locker for Websites is coded in PHP

Benkow, a security analyst from Stormshield, managed to break down the ransomware's mode of operation and even extract its source code from one of the infected targets.

He then uploaded the source code on the KernelMode forum so other security researchers could also analyze it and break down other kinks in its behavior. Since then, the "CTB-Locker for Websites" ransomware, as it became known, has made its way on GitHub.

Taking into account that, the last time a ransomware family's source code was placed on GitHub, things didn't turn out that good for users, expect an invasion of badly coded ransomware variants hitting websites in the following months.

As it appears from Benkow's analysis, CTB-Locker for Websites is written in PHP, uses a strong AES-256 encryption, and asks for 0.4 Bitcoin, which turns to 0.8 Bitcoin if the user doesn't pay the ransom in two days.

Infection point is unknown

What Benkow has not managed to discover is how the ransomware infects servers. The list of infected websites shows that many don't run a CMS, so blaming outdated Joomla or WordPress sites is out of the question (this time).

"The infected hosts run both Linux and Windows and the majority of them (73%) host an Exim service (SMTP server)," Benkow explained. "Most of them run a password-protected webshell accessible through the 'logout.php' dynamic page."

Additionally, many of the infected websites are also still exposed to the Shellshock vulnerability that was patched more than a year ago. While we can't blame a specific CMS for the ransomware's entry point, it is clear that most of these servers have been neglected by their owners, running outdated software that's most likely open to attacks due to a multitude of unpatched vulnerabilities.

A simple Google search for some of the text embedded in the ransom note shows that, in the past days, the number of infected websites has varied between 40 and 140, at any particular time.

The fact that new infections are still popping out here and there means that the attackers are still active, and this is only the start of a bigger campaign.

Web servers have been targeted by ransomware before

During the last months of 2015, security researchers discovered the Linux.Encoder ransomware family, also targeting Web servers and source code repositories. Linux.Encoder was written in C and C++ and is not related to CTB-Locker for Websites in any way.

That particular piece of ransomware did not bother setting up a ransom note that would appear via the website's main domain, showing ransom notes only in the form of text and HTML files accessible only to the server's owner (which, only by accident, sometimes leaked into the Web server's public folders).

Security researchers easily cracked all versions of Linux.Encoder, days after they were first spotted.

Sample "CTB-Locker for Websites" ransom note
Sample "CTB-Locker for Websites" ransom note

Photo Gallery (2 Images)

CTB-Locker for Websites source code on GitHub
Sample "CTB-Locker for Websites" ransom note
Open gallery