View All R&D Articles

EV Ransomware Targets WordPress Sites

September 12, 2017

A new strain of ransomware targets websites created through WordPress. The malware encrypts a web server’s files making them inaccessible. Experts have named the malicious software “EV” because it appends files with “.ev” after encrypting them.

The ransomware is also known as Ronggolawe or AwesomeWare.

Indonesian hackers originally uploaded the malware to GitHub under the name AwesomeWare. The developers claimed that the open-source malware was for educational purposes, but before long, security companies started detecting attacks using the malware on WordPress sites.

What sets this ransomware apart from others is that it targets web servers as opposed to the more usual target of Windows workstations. The attackers attempt to encrypt the site owner’s files and deny them access to their site.

The specific attack vector for EV ransomware is unknown. Because WordPress allows a wide variety of third-party plugins, there are many possible vulnerabilities. However, WordPress users can still protect themselves with a couple of precautions.

WordPress users should employ a web application firewall (WAF) and maintain backups offline.

A WAF can prevent hackers from uploading the malicious .php files used to infect web servers with EV ransomware. A good WAF protects against known malware and blocks any suspicious files from being uploaded.

Prevention of ransomware is preferable, but keeping current backups of files will protect your website if malware does encrypt your files. These copies should be kept offline or in the cloud so that they are isolated from a ransomware infection.

Restoring a WordPress website through backups may be the only viable option if EV ransomware encrypts your files. Because the ransomware is not fully functional, it can encrypt, but not decrypt, files. Even if a victim pays the ransom and receives a decryption key, a data recovery expert would be necessary to fix the broken code and decrypt the files.

An Indonesian hacking group is linked to the malware.

A group known as Bug7sec uploaded the source code that EV ransomware uses. On the group’s Facebook page, Bug7sec also takes credit for two other strains of ransomware that operate similarly to EV. Their motivation is unclear since they are offering the code for free.

This new threat highlights the importance of using good internet hygiene and security software. Hackers will continue to search for new vulnerabilities as old ones are patched. Keep your website safe by regularly updating plugins, using a web application firewall, and maintaining current backups in an isolated location.