WordPress Ransomware: Malware that is extortionate on websites

Wordfence, the developer behind the Wordfence WordPress Security Plugin, came across WordPress ransomware in July 2017, which EV ransomware is called. This WordPress ransomware attacks websites and their operators. What findings Wordfence has been able to bring to light so far, what security solutions are available and more you can find out here.

"EV Ransomware" is the name of the WordPress ransomware discovered by Wordfence and included in the database of the Wordfence WordPress Security Plugin, which encrypts the files of the attacked website.

"EV Ransomware" is the name of the WordPress ransomware discovered by Wordfence and included in the database of the Wordfence WordPress Security Plugin, which encrypts the files of the attacked website.

What is ransomware?

Ransomware is malware that encrypts data, files and sometimes entire hard drives on the PC or Mac. The system is then blocked and the user can only unlock it again with a specific password - a deadline is not infrequently set for this. Within this deadline, the user should transfer a ransom to the ransomware sender, usually in the form of bitcoins. After receipt of the payment, the password for the release of the data and files will (hopefully) be transmitted. WordPress ransomware is now encryption attacks on websites and their operators.

More on this: MacRansom is attacking Mac / Data backup as protection against malware

WordPress ransomware: attacks now also on websites

WordPress is the system of choice for many website operators to put various content, texts and media such as images, videos and audio tracks on the Internet. In addition, WordPress offers a lot of freedom for your own design and administration using plugins. Whether free use or full application with host service and all the trimmings: WordPress ransomware is tends to be millions of websites in danger. Wordfence, the developer behind the Wordfence WordPress Security Plugin, have published the following in this regard:

“Most ransomware targets Windows workstations. However, the Wordfence team is currently tracking an emerging type of ransomware targeting WordPress websites. During our analysis of malicious traffic targeting WordPress sites, we saw several attempts to upload ransomware, which provided the attacker with the ability to encrypt the files of a WordPress website and then extort money from the site owner. "-

The malware interface with which the code for encrypting and decrypting website data can be implemented. (Source: Wordfence.com)

The malware interface with which the code for encrypting and decrypting website data can be implemented. (Source: Wordfence.com)

EV Ransomware - reason for the name

The WordPress ransomware found by Wordfence was named EV ransomware baptized. This was due to the behavior in handling the files on the attacked Internet sites. These are first encrypted and packed in an archive, then deleted and replaced by files of the same name with the extension.EV replaced. According to Wordfence, the following files / extensions are not affected by the encryption / modification:

  • . Php
  • . Png
  • 404.php
  • .htaccess
  • .index.php
  • DyzW4re.php
  • index.php
  • .htaDyzW4re
  • .lol.php

In addition, an EV.php is created when the website data is encrypted, which shows the interface shown above, where the user can enter the decryption code. However, the Wordfence cyber security team announces that the decryption of the data is incomplete as a result. If it happens at all.

Don't pay a ransom

Since it is unlikely that you as a website operator will get your data decrypted and send it to you in a way in which you can safely use it again, you should get the ransom demanded according to Wordfence rather pay.

This is how you can protect yourself

WordPress is not a big topic, but it is an important topic on this blog. Therefore I think that among you readers there is certainly one or the other operator of the website. Therefore, I would like to pass on Wordfence's protection tips to you so that you can be on your guard against malicious software.

First of all, the provider of WordPress security points out its own offer and the benefits of its own Wordfence WordPress Security Plugin down. The malware was first discovered on July 7, 2017; on July 12, 2017 the firewall of the security offer was adapted accordingly. This is to prevent attempts to upload the software for encryption and blackmail. In addition, the scan of the plugin detects the ransomware when checking the website. The protection service has been available since August 11, 2017 EV ransomware also available for users of the free version.

Another note when protecting against malicious software that can paralyze your website is not related to the Wordfence offer, but applies to all possible difficulties that you may encounter with your data: Make backups. A backup of your homepage, which you do not save on the same server, but locally or in a cloud, helps you to restore your website without a ransom and (maybe not at all) decryption of your data.

Who are those responsible?

The ransomware is said to have appeared as code on GitHub for the first time in May 2016. The second generation of code and software that is currently in use did not appear until 2017. The interesting thing about it: as an author is bug7sec stated, a group from Indonesia who call themselves a business consultant on their Facebook page. According to Wordfence, Indonesian words can also be found in the ransomware code.

Furthermore, a YouTube video, the audio of which can be heard when the ransomware is loaded, leads to Indonesia, through the Indonesian rap in the audio and the title, which includes the term ApriliGhost contains - on Twitter and Facebook represented this is also shown to be an Indonesian source. In addition, after loading the ransomware automatically leads to the Indonesian hacker forum errorviolence.com. In addition, IP addresses in connection with the ransomware were tracked to Jakarta.

Technical details

After encryption or each time a directory is created, the malware sends an email to the address "htaccess12@gmail.com". Information about the host and the key used are sent in the e-mail. Wordfence also notes a few technical details about encryption. So that I do not transfer this incorrectly, here is a quote in English (source: see Wordfence page linked above):

"The encryption process uses mcrypt's functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file. "

Conclusion on EV ransomware

The EV ransomware can encrypt the files of WordPress websites. The creators demand a ransom for decryption, the payment of which does not have to lead to the (complete) decryption of the data. Protection with one is better corresponding plugin (which is up to date from August / September 2017), through a regular backup that is not stored on the same server, and through general caution.

-

Did you like the article and did the instructions on the blog help you? Then I would be happy if you the blog via a Steady Membership or at Patreon would support.

Leave a Comment

Your e-mail address will not be published.