CTB-Locker ransomware infects 70 web servers

CTB-Locker comes back and strikes 70 web server from 10 countries across the globe. Who is at risk and what should they do?

CTB-Locker ransomware infects 70 web servers

Similar to other successful business sharks, cybercriminals are in constant search of new markets. They carry out experiments, change target audiences and provide feedback to the victims — all to get their hands on some more easy money. This is exactly what we observed in the latest version of CTB-Locker.
CTB-Locker ransomware infects 70 web servers

This ransomware family has been rather smart in the past: for example, it utilized the Tor Project anonymity network to shield itself from security experts, and accepted only almost untraceable Bitcoin payments.

Now comes the good news for the home users, bad for companies: the newest CTB-Locker targets web servers only. While traditional ransomware encrypts user files, this one encrypts data hosted on the server web root. Without these files a website doesn’t exist.

Criminals squeeze $150 (or exactly 0.4 of bitcoin) as a ransom. If a victim doesn’t pay in time, the price doubles.


Culprits also replace the main page of a hacked website with a message, in which they explain in details, what has happened, and when/how the money must be transferred. They helpfully add a video manual for those who don’t know how to buy bitcoins and offer to decrypt two random files to prove their “honesty.” A victim can even chat with the attackers using a special code that is available for victims only.

As far as we know, new CTB-Locker has already encrypted data on more than 70 servers located in 10 countries, the most affected are is the USA, which is not surprising.


CTB-Locker ransomware is truly a scourge of the Internet as there is still no decryption tool that could help victims. The only way to get infected files back quickly is to pay the ransom.

We still don’t know how exactly the CTB-Locker is being deployed on web servers, but we do observe one common thing: a great number of victims use the WordPress platform. That’s why we strongly recommend:

  • update WordPress regularly, as its non-updated versions usually contain a number of vulnerabilities;
  • be very careful with third party plugins: these addons can be very useful, but only when they are created by reliable developers;
  • backup all important data;
  • be cautious about phishing emails;
  • don’t believe into “too good to be true” ads that appear online and encourage you to install third-party software for any purpose (for example, for web analytics).

Though this particular version of ransomware targets only websites, there’re a lot of other cryptors which target your personal files. For home users we advise installing a reliable security solution, making backups on a regular basis and avoiding phishing as nowadays it’s the most popular delivery option for all sorts of malicious programs including ransomware.