This is what it looks like when your website is hit by nasty ransomware

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.theregister.co.uk/2016/02/12/this_is_what_it_looks_like_when_your_website_is_hit_by_nasty_ransomware/

Malware appears to have hijacked the British Association for Counselling
and Psychotherapy (BACP)'s website – and held it to ransom.

The front page of the site has been replaced with instructions on how to
pay off the extortionists: $150 (£100) in Bitcoin must be coughed up by
February 22, or the association's web data will remain scrambled forever.
The malware, CTB-Locker, encrypts files on infected machines, and then
demands payment for the decryption key. Without this key, the contents of
the documents are useless.

BACP, based in Leicester, describes itself as "the largest professional
body representing counselling and psychotherapy in the UK," and is said to
have more than 40,000 members. So far, the ransom has not been paid: the
crooks' Bitcoin wallet is empty and no currency has been moved from it.

What's puzzling to us is that CTB-Locker is known to be a Windows software
nasty that is typically installed by accidentally opening a spam email
attachment or browsing a malicious website. Yet, BACP.co.uk appears to be
powered by Linux, probably kernel version 2.6.32 to 2.6.35.

Right now, the web server has FTP, SSH, HTTP, HTTPS, RPCBIND, and MySQL
services facing the public internet: the HTTP server says it's Apache
2.2.17 running on Fedora, and the SSH service says it's OpenSSH 5.4.

Not all the files on the server have been encrypted – for example, the
privacy policy page is still working – however some documents, such as an
ethics framework, are scrambled (here's what that framework should look
like).

The hijacked front page reads: "Your scripts, documents, photos, databases
and other important files have been encrypted with strongest encryption
algorithm AES-256 and unique key, generated for this site. Decryption key
is stored on a secret Internet server and nobody can decrypt your files
until you pay and obtain the decryption key."

It's entirely possible a Windows PC was infected at the association,
website files on the machine were encrypted, and then the files were
synchronized to the web server along with a replacement homepage.

Mark this one down as at least one Linux-powered website taken down by
CTB-Locker in one way or another – and pray CTB-Locker hasn't infected more
of the psychotherapy body's computers. That would certainly need some
counseling to recover from.

For the curious, if you open the source code for the hijacked homepage, and
scroll down to the end, you'll find URLs to three compromised websites that
are hosting scripts that return, in JSON format, whether or not the victims
have paid yet. So far, we're told, {"status":"not_payed"}.

A spokesperson for BACP was not available for immediate comment.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.