Ransomware Targeting WordPress – An Emerging Threat

Recently, the Wordfence team has seen ransomware being used in attacks targeting WordPress. We are currently tracking a ransomware variant we are calling “EV ransomware.” The following post describes what this ransomware does and how to protect yourself from being hit by this attack.

A Quick Introduction to Ransomware

Ransomware is malicious software that an attacker installs on your computer or on your server. They use an exploit to gain access to your system, and then the ransomware executes, usually automatically.

Ransomware encrypts all your files using strong unbreakable encryption. The attackers then ask you to pay them to decrypt your files. Usually payment is via bitcoin. Bitcoin gives the attackers a way to create an anonymous wallet into which the ransom can be paid.

Ransomware has been around for a long time. It originally dates back to 1989 with the “PC Cyborg trojan horse virus” that would extort its victims into sending $189 to a PO Box in Panama to get their files decrypted. The encryption on that virus was easily crackable.

Ransomware today is growing fast. In 2017, 100 new ransomware variants were released into the wild, and there was a 36% year-over-year increase in ransomware attacks worldwide. The average ransomware demand increased 266% to an average of $1077 per victim. [Source: Symantec Threat Report 2017]

This year we have seen ransomware attacks on a scale that would have been hard to imagine several years ago. In May of this year, the WannaCry ransomware attack affected hundreds of thousands of people in over 150 countries. The UK National Health System was affected and had to divert ambulances away from affected hospitals.

In June we saw the Petya (eventually dubbed NotPetya or Netya) ransomware rapidly spreading, starting in Ukraine. A large number of high-profile organizations were affected, including Ukraine’s state power company, the Chernobyl nuclear reactor, Antonov aircraft, shipping company Maersk and food giant Modelez.

Today a large number of affected people and organizations actually pay attackers when they are hit by ransomware, and sometimes their files are successfully decrypted. Security organizations, including the FBI, generally advise customers to not pay attackers because this encourages the spread of this kind of attack. However, many organizations simply do not have the option of not recovering their data – and so they pay, which perpetuates this criminal business model.

Ransomware Now Targets WordPress

Most ransomware targets Windows workstations. However, the Wordfence team is currently tracking an emerging kind of ransomware that targets WordPress websites.

During our analyses of malicious traffic targeting WordPress sites, we captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.

The ransomware is uploaded by an attacker once they have compromised a WordPress website. It provides the attacker with an initial interface that looks like this:

This interface provides both the encryption and decryption functionality to an attacker. The attacker then chooses a complex key, enters it into the “KEY ENC/DEC” field and hits submit.

The site is then encrypted. The result looks like this:

The ransomware will not encrypt files that have the following patterns:

  • *.php*
  • *.png*
  • *404.php*
  • *.htaccess*
  • *.lndex.php*
  • *DyzW4re.php*
  • *index.php*
  • *.htaDyzW4re*
  • *.lol.php*

For each directory that the ransomware processes, it will send an email to “htaccess12@gmail.com” that informs the recipient about the host name and the key used to perform the encryption.

All files affected are deleted and another file takes their place with the same name, but with the “.EV” extension. This new file is encrypted.

For our technical audience: The encryption process uses mcrypt’s functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file.

Decryption Is Incomplete

When the encryption process starts, the ransomware creates two files in its installation directory. The first is named “EV.php,” a file containing an interface that is supposed to allow the user to decrypt their files if they have a key. This file contains a form, but it does not work because it does not include decryption logic.

The second file is a .htaccess file that redirects requests to the EV.php file. Once your site has been encrypted, it will look like this:

This ransomware provides an attacker with the ability to encrypt your files, but it does not actually provide a working decryption mechanism. It does, however, give attackers what they need to trick affected site owners into paying a ransom. Their only goal is to encrypt your files. They don’t actually have to prove they can decrypt your files to get you to pay a ransom.

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

How to Protect Yourself

This ransomware was first seen by Wordfence being used in a single attack attempt on July 7th. We released a malware signature to our Premium Wordfence customers on July 12th that was specifically designed to detect this ransomware and any variants.

That means our Premium customers’ firewalls have been blocking any attempts to upload this ransomware since then. The Wordfence scan also has detected the presence of this ransomware for Premium customers since July 12th.

30 days later on August 11th, this rule became available for our free community customers. If you are running Wordfence Premium or Wordfence free on your websites, you are currently protected against this attack.

Wordfence will protect you from being hit by this in the first place. We also recommend that you have reliable backups. It is important that you don’t store your backups on your web server. If, for example, they’re stored in a ZIP archive on your server, then if your site is taken over by this ransomware, the backups will also be encrypted and will be useless. Your backups should be stored offline, either with your hosting provider or using a cloud storage service like Dropbox.

Who Is Responsible

The earliest variant of this ransomware appeared in May of last year on Github. Version 2 of the ransomware is what attackers are currently using.

The first time we observed this ransomware being used in the wild to target WordPress websites was last month.

The authors of the ransomware on Github are bug7sec, an Indonesian group with a Facebook page who have listed themselves as a “business consultant.”

The source code uses Indonesian words like “kecuali,” which means “except” in English. You can see this in the source code samples below:

The function above determines whether it should exclude a file from encryption, so the word ‘except’ makes sense in this context as an Indonesian function name.

When you load the ransomware, it loads a YouTube video which is invisible, but you can hear the audio playing in the background when you view the ransomware user interface. The video plays an Indonesian rap tune and the lyrics appear to mention hacking.

The title of the video is “ApriliGhost – Defacer Kampungan.” If you look up @aprilighost on Twitter, you find this account, which links to this Indonesian Facebook account. ApriliGhost may not be the attacker, but the video is Indonesian in origin – a further Indonesian connection.

Another clue is that the ransomware seems to be connected with the website errorviolence.com. When you view the ransomware in a web browser, after a certain amount of time it will redirect you to that site, which is an Indonesian hacking forum and website with resources for hackers.

Our attack data has logged related attacks from IPs with the location of Jakarta, the capital of Indonesia. We have seen related attacks originating from several other non-Jakarta IPs, but these do not resolve to any specific location, but rather to organizations that may be used to proxy attacks. So far, Jakarta is the only location with a clear link to these attacks.

Conclusion: This ransomware was created in Indonesia, probably by bug7sec, and used by at least one Indonesian-based hacking group, from Indonesia, to target WordPress websites.

We Expect This to Evolve Into Fully Functional and Widespread Ransomware

The EV ransomware that we have documented above is incomplete, in that the decryption function does not work correctly. It does work well enough to extort money from unsuspecting website owners, although we have not yet received any reports of extortion taking place. So far we are only seeing attempts to drop this ransomeware on WordPress websites.

We expect this to evolve over the next few months into fully functional ransomware that targets both your files and database in WordPress. We also expect to start seeing incidents of extortion. For websites that do not have a firewall like Wordfence and regular backups, this may turn into a profitable business for attackers who can ransom a few thousand websites.

So far, attackers targeting WordPress have earned money only indirectly from compromised WordPress sites through techniques like email and SEO spam.

Major vulnerabilities in the WordPress ecosystem emerge from time to time – for example, the defacement campaign that the WordPress community experienced earlier this year. The next major vulnerability may see attackers switching from older business models to using ransomware to directly monetize compromised WordPress websites.

Stay Safe

As I mentioned above, Wordfence has been blocking this ransomware for our Premium customers since we first saw it used in an attack in early July. I strongly recommend that you install Wordfence Premium to protect yourself against these kinds of threats.

In September of last year, Wordfence integrated our malware scan into our firewall. This allows Wordfence to use malware signatures that we create to recognize files like this ransomware variant in our firewall. By using this technique, Wordfence will block an attempt to upload ransomware, even if the attacker used an unknown exploit.

To get the most benefit from Wordfence, I encourage you to upgrade to Premium. Not only do you get your firewall rules in real time, but you also get our malware signatures in real time from our team. In this case, you would have been protected from this new ransomware detection for over a month already by now.

An additional layer of protection against a ransomware attack is to ensure that you have good offline backups. Make sure your backups don’t live on your web server. They need to be backed up to a separate server or a cloud storage service like Dropbox or Google Drive. Keep in mind, though, that your backups are your last line of defense. It is better to avoid getting hacked in the first place.

I hope you have enjoyed this detailed post on ransomware and how it is beginning to target WordPress. If you have any questions or comments, post below and I will be around to reply.

Regards,

Mark Maunder – Wordfence Founder/CEO

Thank you to Pan Vagenas for his research which contributed to this post. Also thanks to Andie La-Rosa and Dan Moen for their assistance editing this post. 

Did you enjoy this post? Share it!

Comments

47 Comments
  • I have a question. Can this affect the database or is this just affecting the core and content files?

    • The version we discuss in this post only affects files. My guess is you'll see ransomware targeting the DB within a few months. It's such an obvious high value target. Probably the wp_users table would be the first thing to go after - encrypting just the email column would be very destructive. A site would essentially be disabled and have no way to communicate with customers until the ransom is paid.

      Mark.

      • Thanks, that's when I would really be concerned files I have backed up. Does word fence have a db backup in their premium service?

        • We do not. Check out Updraft Plus.

  • Great detective investigation. Thank you for keeping us free subscribers safe. Your are worth your premium fee and i will upgrade when my business starts to grow.

    • Thanks James!

  • How do they compromise the Wordpress site in the first place? Are they circumventing the password?

    • Attackers usually target a vulnerable theme or plugin in the WP site. Once they're in, they'll drop the EV ransomware payload and encrypt your files. The next time you visit your site, you see the ransomware page appear.

      • G'day Mark,

        We have been running back-ups via GoDaddy Managed WP + use WordFence.
        If we selected a plugin (back up buddy, for instance) that saved copies of the site to, say, Drop Box, would that be compromised too?

        Do we need to take back-ups onto our desktop computers to be immune from this crime?

        Thank you for your services. I'm an IT newb, having just started in March 2017.

        • Hi William,

          In general backing up to dropbox will give you a way to restore your site if you are hit by ransomware. It maybe feasible for ransomware to access the dropbox files via your backup software and corrupt past backups. That is feasible if your backup software has read/write access to past backups and the ransomware steals those credentials and accesses your dropbox files. I've never heard of this ever happening - but in theory it's a possibility.

          Ideally you want to take past backups completely offline and have them be completely inaccessible to the system that was backed up.

          Mark.

  • Thanks for including the defense in all versions of Wordfence. Isn't there something someone can do to head this off at the pass, before it is developed into a worse attack?

    • I'm afraid not Gary.

  • Isn't it possible to remove entire WP installation and then install a fresh one from backup? It sounds like simpliest remedy, am I missing something there?

    • Sure, that's true for anything. And it's a great theory. Windows workstation infected? Blow it away and restore from backup.

      One has to wonder then, why ransomware has had such a severe impact world-wide during the past year. It's because it isn't that simple in reality. Sometimes backups don't exist, aren't available, are useless or are corrupt. Sometimes systems have real-time data that becomes inaccessible and didn't get picked up during a 24 hour backup cycle. Sometimes it's really difficult to find someone who has any idea how to restore your backups.

      Checking the "backup box" is easy. Actually recovering from an incident is hard.

      Very few organizations have regular backups where they verify they can restore those backups, regularly.

      Ask yourself these questions:

      When last did you do a test restore of your backups? Have you ever?

      How much data would you lose if your site was hacked right before the backup ran?

      Would it be possible for an attacker to disable your backups or tamper with them?

  • So, what's the problem if it only affects files? Reinstall (from a backup), close the vulnerability, done. Encrypting (parts of) the database would be disastrous, but this is only a minor problem.

    • If you don't have backups and are e.g. an image hosting website, all your assets are encrypted. Plenty of sites have valuable intellectual property in the form of files. Losing access to that would be disastrous.

  • Is this limited to Windows servers or are Unix server installations running Wordpress also vulnerable?

    • Most WordPress websites are hosted on Linux servers. Some are hosted on Windows servers. Whether you are hosted on Windows or Linux, you are vulnerable to this if you are infected.

  • This is just another reason why snapshots using ZFS are a must! That way one can just rollback the files like this never happened with a single command.

    I totally agree with having backups off server. If one must perform this on the same server at least make sure backups are done using a different Linux/Unix user account than what the website is running under.

    That way if the files are encrypted the backups shouldn't be encrypted since the web server user won't have write permissions. Still better if one just backups off that server and ideally to another provider in another datacenter just in case.

  • Thanks for the heads up. Running fresh backups now.

    Ever since Ransomware destroyed my family business in 2015, we've been struggling to rebuild and I always feared one day that Wordpress would be targeted outright. It's actually one of the reasons I moved to wordfence to help protect my websites.

    Thank you again for all the hard work you guys do.

    • Thanks Theron!

  • I was hit by a ransomware hack on my Wordpress websites in Feb 2016. Got into my hosting account and since I was ignorant of these attacks at the time and had a bulk account, I lost 25 websites. Client and personal sites. I was to pay $50 in Bitcoin, which I did and never received the decryption code. Sites were all gone. So rebuilt and found Wordfence to protect them. Also I have set a limit to 3 sites per hosting account now. Tough lessons learned.

    • I'd love to get more data on what variant you were hit with. Ransomware is rare in the WP echosystem. At least it has been until now.

  • Just another reason why we would never go without our Wordfence protection! Thanks guys!

    • Thanks Norman!

  • I had victims submit files to my website (ID Ransomware) from a variant of this using the extension ".lalabitch" a few weeks ago. I had acquired a sample of it then and everything matches your analysis as well.

    https://twitter.com/demonslay335/status/881007286818226176

    • Awesome, thanks for sharing this Michael and for validating our findings. Drop me an email at mark at wordfence dot com if you have any other data to share. Much appreciated.

      Mark.

  • Pardon the "newbie" question here, but if the directory and folders where the site's files live are password protected, would the ransomware still be able to infect said directories and files...?

    • Yes. I'm going to assume you mean 'password protected with basic web authentication'. In that case, once the attacker has access to your filesystem directly, they are completely bypassing that.

  • Thanks guys for this information, i am happy to know that wordfence has got my back, i will try my best to upgrade to premium. thanks again

  • This is exactly why I host my clients' code on virtual servers I can control and prevent WordPress from being able to write to anything except the dedicated upload directories.

    Yes it's not nearly as convenient as the "click to update" features or the in-app file editor but it is much more secure.

    This should, IMO, be a very first step in security (the very next one being to install wordfence of course).

  • I find it sad that something like this would come out of Indonesia as I actually have a lot of family and close friends from Indonesia. :-( But I would not be surprised much to find this kind of malware coming from just about any country.

    Dan

  • I guess that all that needs to happen is for the payload to sit dormant for 1 week or so , and then fire off, so even all the backups will contain the virus. This would make things harder that you cant restore from backups easily.

  • So will the country blocking feature prevent these ransomware attacks?

    Do you have a list of IP's that you can share for the free wordfence users to add to their firewall?

    • Our Premium product has an IP blacklist that is excellent at blocking about 90% of attacks. We don't have that service for free customers. Country blocking won't really be effective against this.

      Mark.

  • It seems that the weakest point in WP is plugins. Do you have a list of vulnerable plugins so that as a web host I can monitor for them?

    • Check out our monthly attack report - about 1 or 2 posts ago.

      Mark.

  • Any idea what the at risk themes are?

    • The usual suspects. Check out our monthly attack report for more info.

      Mark.

  • I know for fact it effect the banks in Italy and we still can't get any funds from there.maybe you need to help them with your knowledge

  • I feel so fortunate to have found wordfence and signed up for the premium about a year ago. Everyday I've got people trying to hack in thru password recovery and now I have my sites locked down with the additional code on my phone to login with administrator logins. I'm sure it's only a matter of time before the find a way so I appreciate that you guys are driven to be one step ahead at all times. I don't think people understand the value of the premium for so little price of admission. I got infected with something a couple of years ago and my provider wanted to hook me up with a scan company that charged $700 per site just to scan. Nice affiliate gig if you can get it, lol. Thanks again so much Mark. You guys ROCK!!!

    • Thank you!

  • Nicely summarized. Thank you for spreading the word so excellently.

  • Thanks for the information. All website owners please keep your websites and all plugins updated. The ransomwares are one of the worst attacks : (

  • Exactly why we recommend WordFence to all our customers and client. Thanks for spreading the word.

  • Thanx for Sharing . Very helpfull article

  • Thanks for the info! Definitely a good reason to keep up on backups.