Wordfence, the team in charge of the security of the WordPress sites, has just issued a security alert. It reports that a ransomware nicknamed EV (by the Wordfence team) is targeting more and more WordPress sites. The second version (whose source code has been published on GitHub since July 2016) is used by attackers to try to attack WordPress sites since last month.
A review of the source code reveals that the attack begins with a hostage taking of the .htaccess file (as the source code below shows) automatically created by WordPress when installing a site. Since the .htaccess file is renamed, the site is virtually muzzled, since the server is orphaned from its configuration file.
The ransomware has a path function of the directories of the site tree and encryption of the files within them. The files are encrypted using the Rijndael 128 algorithm via a call to the shcEnCry function. For each of the directories traversed, the attacker receives (via a call to the report function below) the encryption key used by email via an address to be configured in advance.
Once the file encryption process has been completed, the victim is entitled to the standard ransom request screen via which it can enter an encryption key supplied by the attackers in the event of payment of the ransom. The Wordfence team, however, advises potential victims not to pay.
The ransomware documented here is incomplete because the function dedicated to the decryption of files does not play its role, said the team Wordfence which adds that if you are affected by it Do not pay the ransom since it is unlikely that the attackers are actually able to decipher your files.
Even if they provide you with a key, you’ll need an experienced PHP developer to help you repair their code in order to take advantage of the key and decrypt the files, added the Wordfence team.
The misfortune of the potential victims seems to make the business of the management team of WordPress since the only solution proposed by the latter is to acquire the firewall Wordfence available only to the premium users.