In the last few years, the concept of “ransomware” has evolved from a rare occurrence to one of the more dominant forms of cyber threats that both business and personal users face on a daily basis. Ransomware is a type of malware that encrypts all files on a computer’s hard drive including photos, documents, databases and more. In order to regain access to that data, the user is required to pay a fee to the attacker; however, there is no guarantee that the files can ever be recovered. Recently, a nasty strain of ransomware called CTB-Locker has created a particular cause for concern.
What is CTB-Locker?
What makes CTB-Locker such an interesting ransomware variant is that it doesn’t go after the files on a user’s hard drive – instead, it goes after entire websites. When an administrator uploads new files to a file server and pushes that data through to the website, the ransomware takes hold – displaying a message to all users that the site has been compromised. Administrators are completely locked out of all site data, preventing them from making any changes unless they pay a ransom of 0.4 Bitcoin.
When a site has been compromised, CTB-Locker replaces the index page on the file server – either the index.php or index.html file. The new version of that file not only displays the ransom demand, but also starts a ticking clock. Users have a limited amount of time to pay the ransom before the site is gone forever.
In an interesting twist, CTB-Locker often comes with a random generator decryption key that allows the site’s administrators to unlock two random files from their website. From a certain perspective, this is actually a brilliant bit of marketing on behalf of cyber attackers. Not only does it prove that the decryption keys that site administrators will supposedly receive after they pay the ransom works, but it also provides the administrators with additional incentive to comply with the demand instead of attempting to figure out a solution on their own.
Ransomware Live Chat Support?
Another factor that makes CTB-Locker so interesting is that it often gives users the ability to communicate directly with their attackers, which is something that other strains directed at computer hard drives often lack. The developers of the CTB-Locker ransomware strain make a chat room available, creating a communication channel between themselves and their victims.
What CTB-Locker Actually Does
When CTB-Locker infects a website, it utilizes a variety of different files in an attempt to make the situation as difficult to untangle as possible. In addition to the aforementioned index.php or index.html files, it also uses an allenc.txt document to keep a list of all files that have been encrypted during the attack. A test.txt file is also often present, which contains both the directory path and the filenames of two files that have been chosen that the victim can decrypt for free.
Though the FBI has previously stated that victims of ransomware attacks should just pay the ransom, CTB-Locker and the complexity of this situation cast doubt on that idea. One thing is for sure: cyber security has never been more important, particularly when it comes to a business’s website, which is often the first point of contact and the first impression created between the customer and the organization.
If you’re in Washington, DC or Baltimore and you have any other questions about the CTB-Locker Ransomware, or if you’d just like to discuss other security and IT-related topics with someone in a little more detail, please feel free to call (443) 216-9999 or email firstname.lastname@example.org to speak to a representative at Hammett Technologies today.