Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CTB-Locker for Websites Support and Help Topic


  • Please log in to reply
5 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,274 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:29 PM

Posted 23 February 2016 - 05:50 PM

This topic is to be used for site owners who have been encrypted by CTB-Locker for Websites. This is a new version of CTB-Locker that has been designed to encrypt websites rather than computers and servers.

Detailed information can be found here: CTB-Locker for Websites: Reinventing an old Ransomware

 

encrypted-site.jpg



BC AdBot (Login to Remove)

 


m

#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 23 February 2016 - 05:53 PM

Interesting. Hopefully anyone with a host worth a darn has backups. Pretty sure the hackers can't affect the web host's backups, can't imagine how they could without actually hacking into the host's servers.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 dannyboy950

dannyboy950

  • Members
  • 1,338 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:port arthur tx
  • Local time:02:29 PM

Posted 23 February 2016 - 06:01 PM

Actually what is to keep them from hacking a hosts servers? Probably not easy but a hack is still a hack.


HP 15-f009wm notebook AMD-E1-2100 APV 1Ghz Processor 8 GB memory 500 GB Hdd

Linux Mint 17.3 Rosa Cinamon


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 23 February 2016 - 06:07 PM

Definitely not dismissing that as a possibility, just less likely versus the client's virtual site, which is usually way easier. Problem with cheaper hosts is they may have exploits for jumping into other sites hosted on the same server, they sometimes aren't locked down all the way they should be. Once again, comes down to a host "worth a darn".

 

A very interesting move by the criminals, they must've gotten bored with hacking into websites and only using them as mirrors for the infection itself or proxies. Why not do that, plus get extra money from the host of the compromised site I guess.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:29 PM

Posted 23 February 2016 - 06:46 PM

More information in this BC News article just posted by Grinler.


.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:29 PM

Posted 23 February 2016 - 07:11 PM

The C2 servers are hacked, possibly just proxies then. We can perhaps contact the webmasters for the code. The first one was Joomla, the second one looks to be aware of a hack according to their homepage, yet the script is still active, and the third one is also hit with the infection themselves.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users