Chapter in this post:
Wordfence, the developer behind the Wordfence WordPress Security Plugin, came across WordPress ransomware in July 2017, which EV ransomware is called. This WordPress ransomware attacks websites and their operators. What findings Wordfence has been able to bring to light so far, what security solutions are available and more you can find out here.
Ransomware is malware that encrypts data, files and sometimes entire hard drives on the PC or Mac. The system is then blocked and the user can only unlock it again with a specific password - a deadline is not infrequently set for this. Within this deadline, the user should transfer a ransom to the ransomware sender, usually in the form of bitcoins. After receipt of the payment, the password for the release of the data and files will (hopefully) be transmitted. WordPress ransomware is now encryption attacks on websites and their operators.
WordPress is the system of choice for many website operators to put various content, texts and media such as images, videos and audio tracks on the Internet. In addition, WordPress offers a lot of freedom for your own design and administration using plugins. Whether free use or full application with host service and all the trimmings: WordPress ransomware is tends to be millions of websites in danger. Wordfence, the developer behind the Wordfence WordPress Security Plugin, have published the following in this regard:
“Most ransomware targets Windows workstations. However, the Wordfence team is currently tracking an emerging type of ransomware targeting WordPress websites. During our analysis of malicious traffic targeting WordPress sites, we saw several attempts to upload ransomware, which provided the attacker with the ability to encrypt the files of a WordPress website and then extort money from the site owner. "-
The WordPress ransomware found by Wordfence was named EV ransomware baptized. This was due to the behavior in handling the files on the attacked Internet sites. These are first encrypted and packed in an archive, then deleted and replaced by files of the same name with the extension.EV replaced. According to Wordfence, the following files / extensions are not affected by the encryption / modification:
In addition, an EV.php is created when the website data is encrypted, which shows the interface shown above, where the user can enter the decryption code. However, the Wordfence cyber security team announces that the decryption of the data is incomplete as a result. If it happens at all.
Since it is unlikely that you as a website operator will get your data decrypted and send it to you in a way in which you can safely use it again, you should get the ransom demanded according to Wordfence rather pay.
WordPress is not a big topic, but it is an important topic on this blog. Therefore I think that among you readers there is certainly one or the other operator of the website. Therefore, I would like to pass on Wordfence's protection tips to you so that you can be on your guard against malicious software.
First of all, the provider of WordPress security points out its own offer and the benefits of its own Wordfence WordPress Security Plugin down. The malware was first discovered on July 7, 2017; on July 12, 2017 the firewall of the security offer was adapted accordingly. This is to prevent attempts to upload the software for encryption and blackmail. In addition, the scan of the plugin detects the ransomware when checking the website. The protection service has been available since August 11, 2017 EV ransomware also available for users of the free version.
Another note when protecting against malicious software that can paralyze your website is not related to the Wordfence offer, but applies to all possible difficulties that you may encounter with your data: Make backups. A backup of your homepage, which you do not save on the same server, but locally or in a cloud, helps you to restore your website without a ransom and (maybe not at all) decryption of your data.
The ransomware is said to have appeared as code on GitHub for the first time in May 2016. The second generation of code and software that is currently in use did not appear until 2017. The interesting thing about it: as an author is bug7sec stated, a group from Indonesia who call themselves a business consultant on their Facebook page. According to Wordfence, Indonesian words can also be found in the ransomware code.
Furthermore, a YouTube video, the audio of which can be heard when the ransomware is loaded, leads to Indonesia, through the Indonesian rap in the audio and the title, which includes the term ApriliGhost contains - on Twitter and Facebook represented this is also shown to be an Indonesian source. In addition, after loading the ransomware automatically leads to the Indonesian hacker forum errorviolence.com. In addition, IP addresses in connection with the ransomware were tracked to Jakarta.
After encryption or each time a directory is created, the malware sends an email to the address "email@example.com". Information about the host and the key used are sent in the e-mail. Wordfence also notes a few technical details about encryption. So that I do not transfer this incorrectly, here is a quote in English (source: see Wordfence page linked above):
"The encryption process uses mcrypt's functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file. "
The EV ransomware can encrypt the files of WordPress websites. The creators demand a ransom for decryption, the payment of which does not have to lead to the (complete) decryption of the data. Protection with one is better corresponding plugin (which is up to date from August / September 2017), through a regular backup that is not stored on the same server, and through general caution.
After graduating from high school, Johannes completed an apprenticeship as a business assistant specializing in foreign languages. But then he decided to research and write, which resulted in his independence. For several years he has been working for Sir Apfelot, among others. His articles include product introductions, news, manuals, video games, consoles, and more. He follows Apple keynotes live via stream.