Protecting Your WordPress Website from CBT Locker Ransomware

Posted at August 30, 2019 at 8:58 pm by Michael Lavrik

Ransomware is nasty piece of malware that infects computers. CBT Locker Website, a spin on the infamous CBT Locker for desktops, is one of the latest versions of ransomware that enables an attacker to take WordPress sites hostage and charge a fee for their release.

What is CBT Locker and Ransomware?

Ransomware, which has only been popular for the past few years,  is most effective when an attacker plans to make money from his/her victims. Ransomware encrypts all data and leaves the victim a message that important files won’t be decrypted until the victim pays a fee, which can run any where between $50 through thousands of dollars. If the victim waits too long, sometimes fee increases. Payments can be requested in bitcoins, and the malware will even help the user find a bitcoin provider. The scam has made attackers millions in ransom fees.

CBT Locker works in a similar fashion; the attacker just needs to get the victim to download malicious software, which can be easier than gaining access to a website.

Hacking a website involves accessing the file system to upload files. This can be done using phishing attacks or keyloggers. WordPress sites vulnerable to SQL injections can also give the attacker escalated privileges on the web server.

What Happens After a Website Is Hacked?

After the website is hacked, the attacker uploads a new index.php file. When you access a site, the default file that launches content for the main homepage is index.php. The attacker’s index.php file replaces the legitimate one; the next time it executes, data encryption is triggered.

The malicious code searches for numerous file types, usually those most likely to be important to people. Here are a few file types that ransomware, including CBT Locker, searches for:

  • .doc
  • .jpg
  • .png
  • .txt
  • .docx
  • .xls
  • .xlsx
  • .pdf
  • .ppt

Ransomware uses a two-key system: a public key is used to encrypt the data and a private key is used to decrypt it. Only the private key can decrypt data encrypted with the public key. When you pay the ransom, you pay for the private key.

An interesting part about the CBT Locker website version is the real-time chat system. If your files are decrypted, you can go to your site and use the chat system to talk to the attacker. The attacker will help you find a bitcoin provider and even provide you technical instructions on how to pay for the key.

WordPress sites Protected by InterShield

The attacker needs access to your site, so the only way to defend against this attack is to know common vulnerabilities within WordPress.

The most common way an attacker gains access to a site is from a malicious plugin. Even legitimate plugins could have some kind of vulnerability that gives an attacker control of the site. Install only trusted plugins with authors that keep up-to-date on the latest attacks and frequently update their software to patch any recent bugs. Never download random plugins from sites that promise cracked themes (also known as “nulled” themes).

Some legitimate plugins are shown to have vulnerabilities. Responsible plugin developers patch their software to stop the vulnerability and release the new update as soon as possible. You must update your plugins each time a patch is released to avoid having your site hacked.

Penetration testing is the process of having a “white hat” hacker run scripts against your site to find any common vulnerabilities. You can pay for testing or buy your own software that penetration tests your WordPress site. If any vulnerabilities are found in your plugins, you can either disable them and find replacements or alert the plugin author in the hopes that they will provide you with a fix.

SQL injection is a common attack on database vulnerabilities. Unless you understand SQL language and the way databases work, you won’t know how to find these vulnerabilities. A penetration test includes SQL injection vulnerabilities.

Not only should you always keep your software up-to-date, but also be aware of phishing scams when you read your emails. Never give out your login credentials for your web server to anyone.

Rest assured when you purchased our shared hosting you are well protected from whatever malware that lurks around the corner. If your site ever does get hacked we promise that we can help you clean it up if you purchased our managed wordpress plan. In addition, with InterShield we deploy a five prong defensive against vulnerabilities which include: web app firewall, file upload scanner, automatic scan of running scripts, outbound email protection, and malware detection


You can skip to the end and leave a response. Pinging is currently not allowed.

Leave a Reply