Ev Ransomware Targets WordPress Websites
Ev Ransomware is a new kind of infection that, apparently, originates in Indonesia. It is a server-based threat, and it is specifically targeted at WordPress sites. At the time of research, this devious threat was still in development, and it was still just attempting to infiltrate servers; however, there is a great possibility that this infection could be upgraded. The prediction is that this threat will evolve to corrupt servers linked to WP sites to ensure that administrators cannot communicate with website owners until the ransom is paid. Yes, this infection is likely to be created for the same reason as WanaCrypt Ransomware, Locker Ransomware, and all other well-known file-encrypting threats that are developed to extort money from users. While the future of the devious Ev Ransomware is still quite mysterious, this infection must be taken seriously because it could cause serious problems for WordPress users.
It is believed that Ev Ransomware exploits WordPress plugin and theme vulnerabilities to drop the malicious payload. If the infection is executed successfully, it should encrypt files of the targeted WordPress website. According to Mark Maunder at wordfence.com, the ransomware has both encryption and decryption functionalities, and it can encrypt all kinds of files evading those with patters that include 404.php, DyzW4re.php, index.php, .htaccess, .htaDyzW4re, .lndex.php, .lol.php, .php, and .png. Once the encryption is complete, an email should be sent to htaccess12@gmail.com disclosing the key that was employed. A different key could be used for every single directory. The encryption of files, of course, is done in a way that users could not decrypt files themselves. First and foremost, Ev Ransomware creates copies of original files that are then deleted. The copies are created with the “.EV” extension to make it obvious which files were corrupted. The mcrypt encryption tool – which has similarities with AES – is used for the encryption process, and the cipher used is Rijndael 128.
If Ev Ransomware is executed successfully, and the encryption process is initiated, new files are created. One of them is “EV.php”, and the second one is “.htaccess”. The first file is what we could call a ransom note as it displays a form via which the victim should be able to apply the decryption key. Speaking of the ransom, Ev Ransomware might request 0.2 Bitcoins (at the time of research, this was nearly 900 USD); however, this sum could be easily adjusted. Unfortunately, the decryption of files is unlikely to be possible. Even if it was, it is unlikely that the creator of the ransomware would provide victims with decryption keys. Also, the decryption function could be disabled altogether. In general, paying a ransom is a bad idea, and that can be said about all kinds of ransomware infections. Unfortunately, if the infection becomes as strong as it is expected, some WordPress site users might see no other option but to abide by the rules set up by vicious cyber criminals.
WordPress website creators need to be vigilant about the protection of their data because it could be compromised by Ev Ransomware and, unfortunately, other similar threats that are likely to emerge in the future. The right defense tools could help protect WP sites against malware, but other security measures must be taken as well. Just like with regular ransomware, the best thing that users can do is back up data. It is recommended that users store backups outside of the web server to prevent malware from corrupting it. If backups exist, files and websites can be restored even if malware is dropped successfully. It is also important to be cautious about vulnerable plugins and themes that appear to be the gateway for the mysterious Ev Ransomware.