Ransomware has steadily evolved over the past decade, moving from isolated attacks on individual computers to wider campaigns that disrupt entire services. Families such as Cryptowall and Locky showed how quickly file-encrypting malware could spread across Windows systems.
Researchers are now documenting a shift in that pattern. A variant of CTB-Locker has been adapted to target websites directly, encrypting server-side data and defacing pages to pressure site owners into paying a ransom.
The strain, commonly referred to as CTB-Locker for Websites, does not target end-user PCs first. Instead, it hijacks web servers, locks website files, and demands payment in Bitcoin to restore access.
FOR PROFESSIONALS
CTB-Locker for Websites is an extension of the CTB-Locker ransomware family that traditionally targeted Windows systems. In this variant, attackers focus on web servers rather than individual desktops, encrypting site content and replacing the main index page with a ransom notice.
Once active, the ransomware replaces the original index.php or index.html file with a modified index.php that displays a defacement message. The page informs administrators that scripts, documents, photos, and databases have been encrypted using the AES-256 encryption algorithm, with a unique key generated for each site.
The ransom demand is set at 0.4 Bitcoin, with a deadline. If payment is not made in time, the operators threaten to increase the ransom to 0.8 Bitcoin. To demonstrate that decryption is possible, the attackers allow administrators to decrypt any two randomly selected files at no cost.
The ransomware package includes multiple files used to manage encryption, tracking, and communication. These include a list of encrypted files, a list of file extensions to target, a test file list for free decryption, and a site-specific secret file that enables decryption tests and victim communication.
Communication with the attackers is handled through server-side scripts. The infected index.php uses HTTP POST requests to send data to command-and-control servers. Researchers identified three such endpoints:
- erdeni[.]ru/access.php
- studiogreystar[.]com/access.php
- a1hose[.]com/access.php
In addition to the website-focused variant, CTB-Locker has also appeared on Windows systems. In those cases, the ransomware was distributed as executables signed with stolen digital certificates, allowing the malware to appear legitimate and bypass some trust checks.
FOR DEFENDERS
In website infections, the attack begins after the server is compromised through an unknown vector. Once access is gained, the ransomware encrypts web content and replaces the site’s main index file with a ransom page controlled by the attacker.
A notable feature is the “free test decryption.” The ransomware submits two separate decryption keys to the modified index page. One key is limited and can decrypt only two randomly chosen files, triggered through a web interface labeled as a test function. The second key is reserved for full recovery and is only released after payment.
The defacement page also includes a messaging feature. Site administrators can communicate directly with the attackers by referencing a secret file stored in the same directory as the malicious index file. This chat-style function is designed to reassure victims and guide them through payment.
From a monitoring standpoint, defenders should expect to see unexpected changes to index files, the sudden appearance of ransom-related PHP scripts, and outbound POST requests to external servers. Because encryption happens server-side, endpoint antivirus tools on user machines offer no protection in this scenario.
The attackers’ use of stolen code-signing certificates in Windows variants further complicates detection, as signed executables may appear trustworthy. This approach has been observed in previous malware campaigns and continues to undermine trust in digital signatures.
FOR LEADERS
CTB-Locker for Websites raises the impact of ransomware from individual productivity loss to direct service disruption. When a website is encrypted and defaced, business operations, customer access, and online transactions can be immediately affected.
The risk is especially high for commercial and e-commerce sites. If a compromised server supports payment processing or stores customer data, downtime or data loss can translate directly into financial damage and reputational harm.
This campaign also highlights a broader shift in attacker strategy. Rather than relying only on infected PCs, ransomware operators are targeting shared infrastructure where a single successful intrusion can pressure an organization to pay quickly.
While the article notes that website administrators may be able to restore services from untouched backups, the incident underscores the importance of server security and recovery planning. The continued appearance of CTB-Locker in both website and Windows environments shows how adaptable established ransomware families have become.
