Not to be confused with the popular coding language "PHP"; the PHP Ransomware is part of the Dharma Ransomware family. The Dharma Ransomware has been around for a while now, but decrypting the files affected by it is still nearly impossible.
How the PHP Ransomware Infects a Computer
The PHP Ransomware works like any other ransomware, and once it infiltrates a system, it accesses and encrypts as many files as possible quickly. The malware is spread using the same techniques as most others. This encompass spam email, infected downloads, torrents and embedded macros. The PHP Ransomware demands a ransom in turn for decrypting the locked data and is recognizable by the extension it appends to the files encrypted by it. The threat adds a unique "victim ID," the attacker's email address, and a ".php" extension to affected files. For example "xyz.abc" would become something like "xyz.abc.id-12ED23542D00.[email@example.com].php". The PHP Ransomware also will add a file called "RETURN_FILES.txt" to the desktop and affected folders. In addition, it has the ability to show a pop-up window with more information. Unlike most ransomware, the PHP Ransomware ransom note only contains a short message with an email address. The rest of the information is presented in the pop-up window.
Sample Ransom Note:
All your data is encrypted!
for return write to mail:
Sample Pop-Up Window Note:
'All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL firstname.lastname@example.org
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:email@example.com
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
Protecting Yourself from the PHP Ransomware
There are various preventive measures you should take to block malware and ransomware from ever reaching your system. However, there is still always the risk of infection at some point. This is why it is very important to keep your data backed up daily, or at least regularly. Any file you cannot risk losing should be backed up in the cloud, or physically on a disk that is not kept in the same location, or at least on a different network. Downloading and installing a well-known and trusted anti-virus or anti-malware tool is important. Most operating systems these days ship with one out of the box. However, any tool is only as good as its virus definitions. Keeping your security software updated helps it recognize known threats and neutralize them.Do not download files from unknown sources. Double-check email addresses and URLs before downloading or executing files attached to them. Even if you recognize an email sender, always make sure the file attached to it makes sense with respect to the email content. Sometimes malware can attach corrupted files to emails without the sender's knowledge.
What Should I do if My System is Infected?
A lot of tools are available online that claim to be able to remove malware or even to recover your files. While the former is possible, and there are a number of reputable companies that develop such tools, it is impossible to decrypt the locked files without the unique key. Trying to use a decryption tool could make your system even more vulnerable to attacks, as it is very likely that the tool was also developed with harmful intent in mind. Once a system is infected, the only way to remove the malware with no risk of recurrence is to format the hard disk. You can then use a backup to restore your system to a clean state. Some malware can cause issues during system restores or even delete backups. This is why it's always a good idea to have important files backed up off-site.
Never reach out to the attackers under any circumstances. While they might decrypt a file or two as proof, the chance of paying a ransom and regaining access to all your data is minimal. It is far more likely that the attackers keep asking for more and more money until they disappear. Bitcoin transactions are untraceable, and the attackers feel no obligation to uphold their end of the deal once they are paid.