EV Ransomware, A Growing Threat to WordPress Sites

///EV Ransomware, A Growing Threat to WordPress Sites

Wordfence, the team in charge of the security of the WordPress sites, has just issued a security alert. It reports that a ransomware nicknamed EV (by the Wordfence team) is targeting more and more WordPress sites. The second version (whose source code has been published on GitHub since July 2016) is used by attackers to try to attack WordPress sites since last month.

A review of the source code reveals that the attack begins with a hostage taking of the .htaccess file (as the source code below shows) automatically created by WordPress when installing a site. Since the .htaccess file is renamed, the site is virtually muzzled, since the server is orphaned from its configuration file.

The ransomware has a path function of the directories of the site tree and encryption of the files within them. The files are encrypted using the Rijndael 128 algorithm via a call to the shcEnCry function. For each of the directories traversed, the attacker receives (via a call to the report function below) the encryption key used by email via an address to be configured in advance.

Once the file encryption process has been completed, the victim is entitled to the standard ransom request screen via which it can enter an encryption key supplied by the attackers in the event of payment of the ransom. The Wordfence team, however, advises potential victims not to pay.

The ransomware documented here is incomplete because the function dedicated to the decryption of files does not play its role, said the team Wordfence which adds that if you are affected by it Do not pay the ransom since it is unlikely that the attackers are actually able to decipher your files.

Even if they provide you with a key, you’ll need an experienced PHP developer to help you repair their code in order to take advantage of the key and decrypt the files, added the Wordfence team.

The misfortune of the potential victims seems to make the business of the management team of WordPress since the only solution proposed by the latter is to acquire the firewall Wordfence available only to the premium users.

By |2017-08-16T15:12:45+00:00August 16th, 2017|Data Security, Technology|2 Comments


  1. Md Yakub September 14, 2017 at 1:23 pm - Reply

    Wordfence has been blocking this ransomware for our Premium customers since we first saw it used in an attack in early July. I strongly recommend that you install Wordfence Premium to protect yourself against these kinds of threats. In September of last year, Wordfence integrated our malware scan into our firewall. This allows Wordfence to use malware signatures that we create to recognize files like this ransomware variant in our firewall. By using this technique, Wordfence will block an attempt to upload ransomware, even if the attacker used an unknown exploit. To get the most benefit from Wordfence, I encourage you to upgrade to Premium. Not only do you get your firewall rules in real time, but you also get our malware signatures in real time from our team.

  2. Ogeto Omwancha D. September 20, 2017 at 1:52 pm - Reply

    It would not be an over statement to say that widespread cyber-attacks crippling global businesses has become the new normal with the fast advancement of digital technology and its application. The speed and scale of the recent ransomware attacks and cyber-security breaches have taught me an important lesson. Threat detection and mitigation will be the key to this nightmare. It is true that Ransomware has been around for a long time. It originally dates back to 1989 with the “PC Cyborg Trojan horse virus” that would extort its victims into sending $189 to a PO Box in Panama to get their files decrypted. The encryption on that virus was easily crackable. Ransomware today is growing fast. In 2017, 100 new ransomware variants were released into the wild, and there was a 36% year-over-year increase in ransomware attacks worldwide. The average ransomware demand increased 266% to an average of $1077 per victim. [Source: Symantec Threat Report 2017]. Today a large number of affected people and organizations actually pay attackers when they are hit by ransomware, and sometimes their files are successfully decrypted. Security organizations, including the FBI, generally advise customers to not pay attackers because this encourages the spread of this kind of attack. However, many organizations simply do not have the option of not recovering their data – and so they pay, which perpetuates this criminal business model. Which begs the question, could cloud computing help tame this trend?

Leave A Comment