WordPress Ransomware Found in Attacks on WordPress Websites

This just in, WordPress is now the target of Ransomware creators!

I want to give you the quick run down of what I learned today, which you can just listen to in the video above.

Recently, the Wordfence team has seen ransomware being used in attacks targeting WordPress. They are currently tracking a ransomware variant they are calling “EV ransomware.” Most ransomware targets Windows workstations. However, the Wordfence team is currently tracking an emerging kind of ransomware that targets WordPress websites.

During their analyses of malicious traffic targeting WordPress sites, they captured several attempts to upload ransomware. Which would provide an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.

The ransomware is uploaded by an attacker once they have compromised a WordPress website. It provides the attacker with an initial interface that looks like this:

Image Courtesy of Wordfence

When the encryption process starts, the ransomware creates two files in its installation directory. The first is named “EV.php,” a file containing an interface that is supposed to allow the user to decrypt their files if they have a key. This file contains a form, but it does not work because it does not include decryption logic.

Wordfence suggests that if you are affected by this ransomware, do not pay the ransom. As it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need to hire an experienced PHP developer to help you fix the broken code in order to use the key and reverse the encryption.

This WordPress ransomware was first seen by Wordfence being used in a single attack attempt on July 7th, 2017.

The Wordfence Plugin, if setup correctly, will protect you from being hit by this in the first place. They also recommend that you have reliable backups. Shameless plug here, we can set up the Wordfence plugin for you as a one off service or if you come on board as a WordPress Maintenance Concierge client it is included.

It is important that you don’t store your backups on your web server. If, for example, your backups are stored on your server, then if your site is taken over by this ransomware, the backups will also be encrypted and will be useless. Your backups should be stored offline, either with your hosting provider or using a cloud storage service like Dropbox. 2 shameless plugs in a row? Yes, we do multiple backups so that something like this can’t become a huge issue for our clients. This alone is worth the monthly investment.

WordPress ransomware is expected to get worse and more widespread over the next few months, according to Wordfence. We agree that this is just the beginning, as we have seen with all of the variations of ransomware that has continued to attack computers over the past year.

If you want to learn more about our service you can check it out here: https://ishouldbeyourwpguy.com/wordpress-security-maintenance-concierge/

Special thanks to the Wordfence team for being on top of issues like this and helping to keep all of us safe.
Wordfence original blog post: https://www.wordfence.com/blog/2017/08/ransomware-wordpress/

Leave a Comment