Unknown attackers are leveraging a two-year-old vulnerability in Drupal installations to break into sites and install Web-based ransomware that hijacks the website's main page but fails to encrypt any files.
The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked" with a message that read:
“ Website is locked. Please transfer 1.4 BitCoin to address 3M6SQh8Q6d2j1B4JRCe2ESRLHT4vTDbSM9 to unlock content. ”
Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites for the presence of /CHANGELOG.txt (Drupal CMS specific file) and /joomla.xml files.
The attacker's scanning bot extracts the Drupal site's version, then uses the CVE-2014-3704 vulnerability to break into the affected websites and eventually change the admin user's password.
CVE-2014-3704 is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.