back to article This is what it looks like when your website is hit by nasty ransomware

Malware appears to have hijacked the British Association for Counselling and Psychotherapy (BACP)'s website – and held it to ransom. The front page of the site has been replaced with instructions on how to pay off the extortionists: $150 (£100) in Bitcoin must be coughed up by February 22, or the association's web data will …

  1. Anonymous Coward
    Paris Hilton

    Just an idea

    Instead of bitcoins, they could offer vouchers for free counselling; the poor dears obviously need it.

    (Behaviour like this is caused by the lack of nekkid Paris photos floating around, they can have a copy of my stash if they ask nicely).

    1. Matt Bryant Silver badge

      Re: Ian Emery Re: Just an idea

      "....they can have a copy of my stash if they ask nicely)." Does the "asking nicely" include a donation of BitCoins? Just to fund the maintenance of the stash's systems, obviously.

    2. BillG

      Re: Just an idea

      Maybe it's not CTB-Locker, it just claims it is? Unless you are expecting honesty from criminals, that is...

    3. TheVogon

      Re: Just an idea

      There was previously similar malware that attacked and encrypted Linux based NASs called Synlocker. Presumably someone has adapted it to a new target vector, or has written a similar one. After all there are no shortage of holes to target on open source based web stacks...

  2. garetht t

    Image link shirley?

    Probably not best to link directly to a website which is known to have been hacked.

    Whether the server was hacked or files transferred from a naughty Windows PC, it seems unwise to be sending el Reg's innocent eyeballs to a site which could well spring malware to the undeserving.

    1. Anonymous Coward
      Anonymous Coward

      Re: Image link shirley?

      Well, if the server is indeed running some sort of Linux, I expect the drone that updates it was infected from the said MS windows pc, and just FTP'ed to whole lot up as usual on a Friday - YAWN. Time to go to the pub.

      1. Rob Carriere

        Re: Image link shirley?

        It's entirely possible you're right, but if the thing ends up serving malware, the victims won't much care how the malware got onto the server -- FTP or share from a Windows box or a direct hack of the server, malware is malware.

  3. Doctor Syntax Silver badge

    Another possibility is that the scrambled material was under a directory exported by Samba and mounted RW on the infected PC. Still, even if they've no other backup it looks like they could recover from Google cache, and maybe

    1. Anonymous Coward
      Anonymous Coward

      I was thinking along similar lines: A pointy-clicky amateur Windows mess sitting behind a grown-up, possibly professionally operated proxy/cache/firewall.. and someone sitting at the back-end "server" checking their email doubleclicked on a dodgy.pdf.exe which had appeared on the desktop. Or somesuch.

      Alternatively, a NFS connection from a (pwned) Windows "admin" desktop to the server's DocumentRoot might be an effective way to achieve the effect?

      I'm also imagining there was probably a lot of member account data and member-only material accessible only to account holders on the thing which won't be externally crawled/cached.

      Hope they bothered to maintain a proper backup regimen and won't be too damaged by their lesson.

    2. Anonymous Coward
      Anonymous Coward

      It looks it was running a lot of outdated software - it takes very little to p0wn an outdated Linux machine as well - without any Windows help.

      1. Doctor Syntax Silver badge

        "it takes very little to p0wn an outdated Linux machine as well - without any Windows help"

        Running Windows executables requires a bit more - or would they have installed Wine on a server?

        1. Anonymous Coward
          Anonymous Coward

          Are you sure it was encrypted by a Windows executable?

          1. Doctor Syntax Silver badge

            "Are you sure it was encrypted by a Windows executable?"

            Not of my own knowledge but that's what the article says.

  4. Simon Booth

    How about a fake homepage hack?

    We hear about homepage hacks all the time.

    Has anyone @ BACP actually verified they've been hit, I wonder?

    With the number of high-profile homepage hacks some simple social engineering would make the appearance of a bit-locker claim make the target convinced it was true.

    Have they actually tried restoring the website, I wonder? That may well be all that's wrong (plus bloody awlful security in the first place)

  5. DarkOrb

    This isn't anything new, there's been various attempts at doing this directly to Linux servers.

  6. Justin Clift

    RPCBIND on an internet host?

    That seems a bit weird to have running on an internet facing box.

    Did you probe it to ask what services it's exposing? eg rpcinfo -p [hostname]

    1. Anonymous Coward
      Anonymous Coward

      Re: RPCBIND on an internet host?

      Didn't you?

      1. Justin Clift

        Re: RPCBIND on an internet host?

        Definitely not my kind of thing to do without permission.

        The author of the article has obviously been at least port scanning the host though, so it's on topic to ask. ;)

  7. Anonymous Coward


    Just restore a backup to an alternative server and repoint the DNS. They do have backups, right?

    1. jason 7

      Re: Backups?

      This stuff looks for and spreads to backups before it announces itself.

      The only safe bet is if you have a tape/disk rotation backup that isn't connected/active.

      Once it says hello, it's usually too late.

      1. Anonymous Coward
        Anonymous Coward

        Backup <> copy of files to a connected share/disk

        If you just copy some files to a connected share or disk, you don't have a backup. Just an unsafe copy.

        It is true the art of backup got lost as soon as OS started to target lusers.

      2. Steven Roper

        Re: Backups?

        "This stuff looks for and spreads to backups before it announces itself."

        Which is exactly why at my company we don't back up from our web server.

        We have an in-house development system that is airgapped from the internet. When we deploy a website, we burn a DVD (No USB drives are permitted on our development machines) from the dev system and upload that to our web host. If there are any changes to be made, a new disc is burned and uploaded to the web host. The only thing that comes back from the web host is the contents of the databases and that goes onto DVD as backup each day. This copy is then checked against an offline MySQL server to ensure the data has not been secretly encrypted. If it has been, then we know our web host has been infected and can take remedial action.

        Should any of our sites become infected with malware, we simply reimage the web server and restore from the last DVD from our dev system.

        It's clumsy and old-fashioned, and wouldn't work for a massive multinational site spanning multiple data centres, but for our small-scale ecommerce and SME sites it works like a charm.

  8. Crazy Operations Guy

    Read-only filesystems

    When will people learn to use the RO flag on the partition they are using for their web documents?

    The web boxen I'm responsible for are placed behind a load balancer and with code inserted into nginx's rc script that if /www/ is writable, it'll shut down immediately. I update the site by shutting down nginx, unmounting /www, running newfs against it, then extracting the tarball with the fresh contents into the new /www, remounting it as RO and starting nginx. In fact, every partition is mounted read-only by default, except /tmp and /var/log.

    Its immune to defacement, malware, and even clumsy PFYs.

    1. Anonymous Coward
      Thumb Up

      Re: Read-only filesystems

      I think you need a new name.

      1. Crazy Operations Guy

        Re: Read-only filesystems

        "I think you need a new name."

        Wish I could change it...

        I got the name several years back when we were doing massive amount of work on a 100,000+ physical machine datacenter. We were merging with another organization that was bringing 25,000 of their own boxes in. Plus there was all the OS / Application integration that had to take place as well. I ended up doing about 6 weeks of 15 hour days so I just went down to the local Ikea and bought a futon, a table, and a combination mini-fridge/microwave and set them up in a storage room attached to the DC. So for about a month I lived in the datacenter, the storage area was insulated enough that the temperature was just right and the servers' fans produced a comfortable level of white noise. Come to think of it, it was probably the best sleep I ever had...

        1. Anonymous Coward

          Re: Read-only filesystems

          Eh? Sounds like an, er, interesting? experience but what does any of that have to do with changi... Never mind. I was mistaken.


        2. Scott 53

          Re: Read-only filesystems

          "combination mini-fridge/microwave"

          Does that keep things both hot and cold at the same time, like David Beckham's Thermos flask?

    2. Anonymous Coward
      Anonymous Coward

      Re: Read-only filesystems

      I also run FreeBSD, which seems to confuse the heck out of most hackers. Weird, but amusing.

      1. Anonymous Coward
        Anonymous Coward

        Re: Read-only filesystems

        I can remember the days when the logs were full of attempts by script kiddies to run Windows commands on our SuSE box. These people are not hackers, they just copy things they read on the Internet. Occasionally they get lucky.

    3. Rob Carriere

      Re: Read-only filesystems

      I love that strategy. But it only works for static content. So, yes, please run your CDN that way, but any CMS-based part of the site will at the very least have the database as a mutable component. Usually there is a directory that holds uploads and temporary files as well. You can and should defend those, but that is a larger attack surface and therefore intrinsically more vulnerable.

    4. Anonymous Coward
      Anonymous Coward

      Re: Read-only filesystems

      "Its immune to defacement, malware, and even clumsy PFYs."

      Resistant to possibly, Immune - extremely doubtful.

  9. PhilipN Silver badge


    An El Reg functionary went to this web site? Why?

    Poor lad

  10. Paul J Turner

    On the plus side

    The BACP people now know that harboring murderous thoughts and wanting ten minutes with the miscreants and a baseball bat can be perfectly normal.

  11. Anonymous Coward
    Anonymous Coward

    Re. On the plus side

    I'll see your baseball bat and raise you angry giant hornets administered rectally via enema tube.

    Psychoanalyze THIS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Re. On the plus side

      Some pain in the arse.

  12. Ru'

    No doubt having a chat with the servers about their relationship with their mothers will fix it all

  13. Anonymous Coward
    Anonymous Coward


    Psychotherapists? Hacking them sounds quite sensible. Akin to practitioners of homoeopathy, they're just a bunch of quacks with self invented letters after their names.

    1. Whitter

      Re: Quacks

      They invented new letters? How do you type them: my keyboard only has the old ones.

  14. Tom 7

    Total lack of imagination

    The front page should have been:

    Looking for




    in comic sans.

  15. Florida1920

    It's all right, you can click now

    The site's been taken offline.

    Q: How many trick-cyclists does it take to restore a hacked website?

    (The one with "The Interpretation of Dreams" in the pocket.)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like