The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked".

A quick Google search for the Bitcoin address reveals that most websites are running on the Drupal CMS platform. Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites. The attacker's scanning bot extracts the Drupal site's version, then uses the vulnerability to break into the affected websites and eventually change the admin user's password. The flaw is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.