Upgraded version of CTB Locker encrypts WordPress sitesby Nikola Strahija on February 29th, 2016 It seems that the new version of CTB Locker ransomware encrypts WordPress websites demanding 0.5 BTC to release files.
This new variant encrypts all files on WordPress-powered websties and replaces the standard index.php with information on paying the ransom. But that's not all - it even implements a chat room support feature where victims can exchange a few words with the attackers.
Benkow Wokned (@benkow_) and Tomas Meskauskas (@pcrisk) found the new variant, warning it has probably infected hundreds of websites already.
Victims are given the opportunity to decrypt two separately-encrypted files free of charge to demonstrate the legitimacy of the ransom.
Lawrence Abrams from Bleeping Computer shares:
Once the developer (attacker) has access to a site, they rename the existing index.php or index.html to original_index.php or original_index.html. They then upload a new index.php that was created by the developer that performs the encryption, decryption, and displays the ransom note for the hacked site. It should be noted that if the website does not utilize PHP, CTB-Locker for Websites will not be able to function.
Benkow Wokned published his findings here by dissecting the ransomware, finding control servers and unprotected web shells. Google dork is: "We give you the opportunity to decipher 2 files free!"