Ev Ransomware

A new nasty infection Ev Ransomware has been detected by specialists working in the malware research department. According to them, this threat has been developed by an Indonesian group of malware developers, and it does not differ much from such prevalent threats as WannaCry Ransomware and Petya Ransomware. That is, it also has the one and only goal it seeks to achieve – to get easy money. Actually, there is one tiny feature that distinguishes it from the remaining ransomware infections that can be spotted in the wild – it is not a threat targeting the Windows OS. Instead, it primarily targets WordPress websites. When the ransomware infection is successfully uploaded by an attacker to the compromised website, the encryption of files starts immediately. Then, the message to pay 0.2 BTC (~ $959 at today’s price) is displayed. Specifically speaking, your website will open only a black window with a message if Ev Ransomware encrypts its files successfully. Ransomware is no longer a new type of malware, so malware researchers already have much knowledge about these infections. They say that there is one thing that unites them all – they want victims’ money and do not hesitate to tell them that. There is, most probably, no need to say that paying money to malicious software developers is the worst they can do. Even if you pay, your website will, most likely, not be fixed because the decryption mechanism of Ev Ransomware does not work properly. Of course, a fixed version of this threat might be uploaded to your website too, but this does not change anything.

Once Ev Ransomware is uploaded to the WordPress website, it creates EV.php and a .htaccess file. The first file contains the ransomware interface. It should allow victims to decrypts files when they purchase the key, but, at the time of writing, it was impossible to do that because of the missing decryption logic. If the same version affects your website too, it is very likely that you could not decrypt your files easily even if you manage to get the key because the code of these encrypted files will have to be fixed first. Only an experienced software engineer can do that. As for the .htaccess file, its function is to redirect all the requests to the EV.php file.

We would lie if we said that all files of the affected WordPress website become encrypted if Ev Ransomware appears on it and performs the encryption procedure. It has been noticed that it does not touch a handful of files that have the following patterns:

  • .php
  • .png
  • .lol.php
  • .htaDyzW4re
  • index.php
  • 404.php
  • .htaccess
  • DyzW4re.php
  • .Index.php

Unfortunately, all other files, including .css files, become encrypted. The locked data is marked by appending the .EV extension to it. The ransomware infection makes sure that it is impossible to decrypt those files easily – it uses the encryption algorithm called Rijindael 128. As for the key used, it is a SHA-256 hash of the key provided by the attacker. Last but not least, malware researchers have noticed that all the keys used to encrypt files are sent to an email htaccess12@gmail.com – it should belong to the ransomware author.

It might be impossible or very expensive to decrypt files affected by the ransomware infection, so you should pay more attention to prevention of malware. There are two pieces of advice security specialists have for those having WordPress websites. First, it would be smart to use a powerful WordPress security plugin at all times. Second, backups should not be stored on the same website server because they could be easily encrypted too in the case of malware entrance. Specialists recommend keeping backups offline or placing them on a cloud storage service, e.g., Dropbox. You should not ignore these recommendations because the chances are high that Ev Ransomware is not the only infection targeting WordPress websites.

Leave a Comment

Enter the numbers in the box to the right *