This article is more than 1 year old

This is what it looks like when your website is hit by nasty ransomware

How depressing: British Association for Counselling & Psychotherapy hijacked

Malware appears to have hijacked the British Association for Counselling and Psychotherapy (BACP)'s website – and held it to ransom.

The front page of the site has been replaced with instructions on how to pay off the extortionists: $150 (£100) in Bitcoin must be coughed up by February 22, or the association's web data will remain scrambled forever. The malware, CTB-Locker, encrypts files on infected machines, and then demands payment for the decryption key. Without this key, the contents of the documents are useless.

BACP, based in Leicester, describes itself as "the largest professional body representing counselling and psychotherapy in the UK," and is said to have more than 40,000 members. So far, the ransom has not been paid: the crooks' Bitcoin wallet is empty and no currency has been moved from it.

What's puzzling to us is that CTB-Locker is known to be a Windows software nasty that is typically installed by accidentally opening a spam email attachment or browsing a malicious website. Yet, BACP.co.uk appears to be powered by Linux, probably kernel version 2.6.32 to 2.6.35.

Right now, the web server has FTP, SSH, HTTP, HTTPS, RPCBIND, and MySQL services facing the public internet: the HTTP server says it's Apache 2.2.17 running on Fedora, and the SSH service says it's OpenSSH 5.4.

Not all the files on the server have been encrypted – for example, the privacy policy page is still working – however some documents, such as an ethics framework, are scrambled (here's what that framework should look like).

The hijacked front page reads: "Your scripts, documents, photos, databases and other important files have been encrypted with strongest encryption algorithm AES-256 and unique key, generated for this site. Decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the decryption key."

Owned ... the BACP website held to ransom (click to enlarge)

It's entirely possible a Windows PC was infected at the association, website files on the machine were encrypted, and then the files were synchronized to the web server along with a replacement homepage.

Mark this one down as at least one Linux-powered website taken down by CTB-Locker in one way or another – and pray CTB-Locker hasn't infected more of the psychotherapy body's computers. That would certainly need some counseling to recover from.

For the curious, if you open the source code for the hijacked homepage, and scroll down to the end, you'll find URLs to three compromised websites that are hosting scripts that return, in JSON format, whether or not the victims have paid yet. So far, we're told, {"status":"not_payed"}.

In happier times ... how the association's website should look

A spokesperson for BACP was not available for immediate comment. ®

More about

TIP US OFF

Send us news


Other stories you might like