The popular WordPress content management system is experiencing a new wave of hacker attacks. Security experts discovered that criminals are infecting hosted services with a WordPress virus called EV ransomware. It encrypts the site’s content in a way similar to desktop versions.
WordPress Virus Threatens Security of Online Instances
The popular WordPress content management system has been hit with another security threat. Computer hackers are targeting sites with a new virus called “EV ransomware” that seeks to encrypt the data in a manner similar to desktop variants.
The new menace is being tracked by security experts that have discovered several victim sites. During monitoring of several websites the team were able to capture samples of the virus. The criminals behind the attack used automated intrusion attempts to login to the site. Once they have been able to compromise the login prompts the EV ransomware is uploaded to the server.
Once this is done the following infection pattern is observed:
- EV ransomware infiltrates on the target system and is downloaded to the web server’s folder.
- The virus generates a special page that the criminals can access to set up the victim instance. It provides a user interface where they can configure the encode/decode key and submit it for processing.
- The encryption process is initiated.
Like the desktop equivalents the encryption engine uses a built-in file list that in this case features a list of files that are to be skipped by the EV ransomware. The WordPress virus disallows their processing as they will effectively shut down the site and make it non-working:
.php, .png, *404.php, .htaccess, *.index.php, *DyzW4re.php, *index.php, *.htaDyzW4re, *.lol.php*
The experts discovered that when each directory of files is successfully encrypted a notification email is sent to “firstname.lastname@example.org”. This is a hacker-controlled address that collects data from the infected hosts. It contains information related to the compromised machines. The emails contain data about the host name and the encryption key used specified by the hackers. All affected files are deleted and new ones are created with the same names bearing the .EV extension. They are encrypted using the hacker-supplied key. The Encryption process uses a function of the mcrypt library using the Rijndael 128 algorithm. The key itself uses a SHA-256 hash taken from the private encryption key.
Further Technical Details About the WordPress Virus Engine
During the encryption process the EV ransomware crafts two files in the installation folder:
- Ev.php ‒ This is the user interface that allows the users to input the decryption key supplied by the hackers. This is a scam as the decryption engine does not work. The victims should not contact the hackers or pay the ransomware fee in any case.
- .htaccess ‒ It is used to redirect all queries to the EV.php file which displays the EV ransomware note.
The users are shown a green text on a black background showing with an ASCII art image. The administrator’s name is displayed with the requested ransom sum of 0.2 Bitcoins. According to the current currency conversion rate this is the equivalent of about 972 USD. So far only a single attack has been spotted. The criminals launched an attack campaign on July 7th, the reported incident led to the investigation that identified the threat. On August 11 the firewall rule was made public for everyone to include in their settings.
According to the research a prior variant of the malware code appeared last year in May. The developers behind it are known as Bug7sec Team operating from Indonesia. Their Facebook page describes them as a “business consultant” agency.
According to the researchers it is expected that future versions and fully-functional ransomware are going to be released in the future by the same collective or other groups.
To effectively defend yourself against intrusion attacks we recommend the use of a quality anti-spyware tool. It is able to defend against all kinds of computer malware and effectively delete found infections with a few mouse clicks.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter