Ev Ransomware

Researchers specializing in the detection and analysis of malicious software have recently discovered a new infection acting as typical ransomware – Ev Ransomware. While the majority of ransomware-type infections are developed to work on machines with the Windows OS running on them, this malicious application targets WordPress websites primarily. Ransomware infections are such threats that enter computers or servers illegally and then start automatically performing malicious activities on them. Hackers program these threats to act like this not without reason, of course. The only thing they seek to get is easy money. Ransomware infections use strong unbreakable encryption algorithms for the same reason as well. Cyber criminals know well that it will be easier to extract money by encrypting people’s important files, and it seems that this tactic works because many victims are determined to pay money in exchange for decrypted files. For the same reason, malicious software developers will definitely not stop developing new crypto-threats soon.

If your WordPress website has already been compromised and Ev Ransomware uploaded on it, there is no doubt that a number of page components (e.g., .css and .html files) have become encrypted. This malicious application locks all of them without mercy leaving only several files untouched. These files have the following patterns: .php, .png, 404.php, .htaccess, .Index.php, DyzW4re.php, index.php, .htaDyzW4re, and .lol.php. Ev Ransomware sends information about encrypted directories and files to an email htaccess12@gmail.com. Most probably, it informs its developer about the key used to encrypt files. It is not hard at all to find out which files have been locked, and it is not necessary to try opening these files one by one to find out which of them have been encrypted because all files this ransomware infection affects get a new extension .EV appended to them. Yes, you are right – Ev Ransomware has been named after the extension it uses to mark those files it encrypts. The encryption algorithm used – Rijindael 128 – is strong, and, undoubtedly, the developer of this infection knows that, so it might be impossible to crack it and unlock files. Frankly speaking, there are no guarantees that they could be unlocked even if its owner sends 0.2 BTC (~ 959 USD at today’s price) to cyber criminals in exchange for the decryption service. Even if the key for unlocking files is sent to you, you will need an experienced PHP developer to fix these files – the key is completely useless if the code of files is not fixed.

Recent research has shown that Ev Ransomware is not working fully properly at present. Of course, it is, most probably, only a question of time when it evolves into a fully functional ransomware and becomes popular among cyber criminals seeking to obtain easy money. If you are reading this article because you are concerned about the security of your WordPress website, you should know that there are two simple steps to ensure its maximum protection. First, you must use special security software so that it would be impossible to upload malicious software on your site. Second, security specialists recommend backing up the website periodically. Your backups cannot be stored on the same web server because they will also be encrypted and become completely useless if the website is ever affected by ransomware. It is best to keep such important backups offline. Also, you can keep them on a cloud storage service of your choice.

If your WordPress website has already been affected by the same version of Ev Ransomware researchers have analyzed, the chances are basically zero that these files could be decrypted even if you get the decryption key because research has clearly shown that the decryption mechanism of this ransomware infection is faulty. Do not let the history repeat itself – take the necessary security measures as soon as possible. As mentioned above, creating backups periodically and keeping a right security plugin enabled should be enough to prevent new malware from ruining your WordPress website irreversibly again.