As we all know, most ransomware targets Windows workstations. However, there has been an emerging kind of ransomware that targets WordPress websites. A team from the Security company Wordfence has flagged several attempts by attackers to upload ransomware that provides them with the ability to encrypt a WordPress website’s files.
During our analyses of malicious traffic targeting WordPress sites, we captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.
The ransomware is uploaded by an attacker once they have compromised a WordPress website. It provides the attacker with an initial interface that looks like this:
This interface provides both the encryption and decryption functionality to an attacker. The attacker then chooses a complex key, enters it into the “KEY ENC/DEC” field and hits submit.
The site is then encrypted. The result looks like this:
The ransomware will not encrypt files that have the following patterns:
For each directory that the ransomware processes, it will send an email to “[email protected]” that informs the recipient about the host name and the key used to perform the encryption.
All files affected are deleted and another file takes their place with the same name, but with the “.EV” extension. This new file is encrypted.
For our technical audience: The encryption process uses mcrypt’s functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file.