Drupal developers are being asked to give themselves extra time next week to fix a “highly critical” flaw in Drupal 7 and 8 core.

In an advisory sent to developers on Wednesday, Drupal notified them that, “there will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC.” The security advisory did not identify the bug, only describing it as a “highly critical security vulnerability.” “The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” according to the post. 

The first victims recorded complaining about this new strain of ransomware appeared in late March, on the official Drupal forums. Site admins were describing their websites as "being locked".

A quick Google search for the Bitcoin address reveals that most websites are running on the Drupal CMS platform. Forkbombus Labs says that the threat actor behind this campaign starts by scanning websites. The attacker's scanning bot extracts the Drupal site's version, then uses the vulnerability to break into the affected websites and eventually change the admin user's password. The flaw is an SQL injection vulnerability that affects Drupal 7.x installations prior to version 7.32.