There is a new infection that goes by the name Ev Ransomware, and it is not a regular file-encrypting infection that demands a ransom in return of a decryptor. While it does encrypt files and then demand a ransom, it does not target operating systems. Instead, it goes after WordPress websites. When researching this infection, it was still unable to perform complete attacks, but it was attempting them, which is why this infection is still mysterious. Despite the lack of information, it is obvious that this infection encrypts files to bring WP websites down and hold something hostage until money is paid. The unfortunate thing is that files are unlikely to be decrypted and websites are likely to remain corrupted even if the demands are met. That’s just how malicious the creators of ransomware are. All in all, since this threat is still in development stages, WordPress website owners should still have time to take measures ensuring that ransomware does not affect their sites.
All kinds of vulnerabilities are exploited to activate malware, and that might be the case with the malicious Ev Ransomware as well. At the moment, reports show that vulnerable themes and plugins available for WordPress users can be used to infiltrate the malicious infection. Once it is executed, it encrypts WP files, and it could also encrypt backups if they are stored on the same web server. Although the infection should ignore the files with strings .php, .png, .htaccess, .index.php, .htaDyzW4re, .lol.php, 404.php, index.php, and DyzW4re.php, others are not safe. One of the reasons Ev Ransomware is set up to evade files with the .htaccess string is that it creates a .htaccess file to redirect requests to EV.php, which is one more file the ransomware creates. This file represents the ransom demand, and it includes an area for a decryption key, which creates an illusion that once the victim pays the ransom, their files will be decrypted. That, unfortunately, is unlikely to happen.
In one of the examples, Ev Ransomware demanded a ransom of 0.2 bitcoins. That, currently, converts to 870 US Dollars or 723 Euros (note that the conversion rates change all the time). The victim is demanded to pay the ransom, but there are no guarantees that a decryption key would be offered to them in return. According to some researchers, the decryption – at least, right now – is not even possible, but if it was, it is unlikely that cyber criminals would bother to keep their end of the deal. That suggests that if the files were encrypted, they are likely to stay that way. Speaking of encryption, Ev Ransomware employs the Rijndael-128 cipher, and instead of encrypting originals files, it creates copies. The original files are deleted, and the copies are encrypted. The “.EV” extension is appended to their names. Another thing worth-mentioning is that the infection sends the encryption key to firstname.lastname@example.org for safe keeping. Needless to say, this key is hidden and impossible to retrieve.
If files are backed up, there is no need to even think about fulfilling the demands of cyber criminals because recovering data from backups should be easy. In case backups do not exist, the corrupted WP websites might be compromised for good. This proves just how important backing up data is. That is important for everyone, not just website developers. If files are backed up, there is nothing to fear even if malicious infections manage to slither in and wreak havoc. Setting up reliable security safeguards is important also, and there are plenty of plugins to choose from if you are using WordPress to build websites. Unfortunately, it is unlikely that we have seen Ev Ransomware at full force. Also, other threats just as clandestine or even more dangerous could be created to target WP website creators. Without a doubt, virtual security and protection must be on everyone’s mind.