Cyber Incident Victim: British Association for Counselling and Psychotherapy
Date:
Feb 2016
Location:
United Kingdom
Summary
The British Association for Counselling and Psychotherapy's website was compromised by CTB-Locker ransomware, which encrypted files and replaced the homepage with a ransom demand for Bitcoin payment to recover access. Critical documents were rendered inaccessible, though some pages remained functional. The attackers threatened permanent data loss if unpaid, but no ransom transaction occurred. The incident involved a Linux-based web server running outdated software versions, diverging from the malware's typical Windows targeting, suggesting potential infection via a compromised local machine synchronizing corrupted files to the server. The association, a major UK professional body, maintained public-facing services including FTP and SSH during the attack.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On February 12, 2016, the British Association for Counselling and Psychotherapy (BACP) experienced a ransomware attack compromising its official website. The attackers replaced the site’s homepage with a ransom demand instructing the organization to pay $150 (£100) in Bitcoin by February 22 to recover encrypted data, threatening permanent loss of access if unpaid. The malware identified as CTB-Locker encrypted files on infected systems, rendering them inaccessible without a decryption key held by the attackers. BACP, a Leicester-based professional body representing over 40,000 UK counselling and psychotherapy members, had its web server running Linux (likely kernel versions 2.6.32 to 2.6.35) with publicly exposed services including FTP, SSH, HTTP, HTTPS, RPCBIND, and MySQL. The HTTP server operated on Apache 2.2.17 (Fedora), and the SSH service used OpenSSH 5.4. The ransom note claimed files were encrypted using AES-256 and emphasized that decryption was impossible without payment, as the key resided on a secret server controlled by the attackers.
The attack selectively encrypted portions of the website, leaving some pages like the privacy policy functional while scrambling documents such as an ethics framework. Analysis revealed no Bitcoin transactions from the specified wallet, confirming the ransom remained unpaid at the time of reporting. The incident raised technical questions, as CTB-Locker typically targets Windows systems via spam email attachments or malicious websites, whereas BACP’s infrastructure was Linux-based. Investigators hypothesized that a compromised Windows device within the association’s network might have synchronized encrypted files to the web server, inadvertently propagating the ransomware payload alongside the replacement homepage. BACP did not issue an immediate public statement, and no spokesperson was available to confirm containment efforts, data recovery status, or operational disruptions following the attack. The organization’s role as a major professional body suggested potential reputational and operational impacts, though specific consequences were not detailed in available sources.