The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.
Like practically every strain of ransomware, Cryptobit urges victims to contact the cybercriminals in order to restore their files. The ransom note – which appears on victims’ desktops – doesn’t specify how much, or what denomination, to pay in order to get their files back however. Some of the first Cryptobit infections were discovered in April; at the time the ransomware was using both AES and RSA to encrypt files, something that makes it more difficult to decrypt the data.
Criminals were pushing Cryptobit hard for more than a week; Duncan said he spotted eight different samples of the ransomware variant pop up over the course of 10 days. The campaign shifted to distributing other malware at the end of June, however, he said.