Crypto ransomware CTB-Locker has been pushed onto users once again. A new variant of the malware now targets websites instead of Windows.
According to PC World, at least 102 websites have been infected since the campaign began on 12 February, when the British Association for Counselling and Psychotherapy website fell victim to attack.
The PHP-written programme encrypts all the files in the server's web directory when it receives a specifically crafted request from an attacker. An option to chat with the criminals is available to victims so they could ask questions or get help to pay the ransom (0.8 Bitcoin).
Benkow, a security analyst from Stormshield, is unsure how the attackers gained access to the website to install the ransomware and doesn't want to place blame on vulnerabilities in a content management system (CMS) such as WordPress since some of the affected sites did not use a CMS.
Benkow said, “The infected hosts run both Linux and Windows and the majority of them (73 percent) host an Exim service (SMTP server). Some of them are vulnerable to ShellShock, but without a deep access on victims' servers, it is difficult to understand how this ransomware infected hosts.”
New infections are still coming up, meaning attackers are still active and possible starting a bigger campaign.