EV ransomware is targeting WordPress sites

WordPress security outfit Wordfence has flagged several attempts by attackers to upload ransomware that provides them with the ability to encrypt a WordPress website’s files.

WordPress ransomware

They dubbed the malware “EV ransomware”, due to the .ev extension that is added to the encrypted files.

About EV ransomware

The ransomware is uploaded once the attacker manages to compromise a WordPress website. The attacker starts the encryption process from an interface, after choosing a complex key and pressing the “Submit” button.

WordPress ransomware

EV ransomware encrypts most of the files but also leaves some unencrypted.

“The encryption process uses mcrypt’s functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key,” the Wordfence team shared.

“Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file.”

Another thing that’s important for the victims to know is that even if they pay the ransom and receive the decryption key, decrypting the files will not be a simple process.

“This ransomware provides an attacker with the ability to encrypt your files, but it does not actually provide a working decryption mechanism,” the team warns.

“If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.”

Protection tips

The company has rolled out protection against EV ransomware to their users. The rest can minimize the danger by keeping their installations up-to-date, securing their accounts as best as possible, and by making reliable backups – and keeping them off the web server if they don’t want to see them encrypted as well.

According to the researchers, variants of the ransomware have been found published on GitHub, and some of them date back to May 2016. The contents of the source code and the name of the owner of the GitHub account point to the ransomware being the work of an Indonesian group.

They noted that the ransomware is incomplete, but it can still be used to extort money.

“So far we are only seeing attempts to drop this ransomeware on WordPress websites. We expect this to evolve over the next few months into fully functional ransomware that targets both your files and database in WordPress. We also expect to start seeing incidents of extortion,” the researchers concluded.

In early 2016, attackers were spotted using CTB Locker with website-encryption capabilities, but it never became a widespread threat.