Ransomware Targeting WordPress – An Emerging Threat

Recently, the Wordfence team has seen ransomware being used in attacks targeting WordPress. We are currently tracking a ransomware variant we are calling “EV ransomware.” The following post describes what this ransomware does and how to protect yourself from being hit by this attack.

A Quick Introduction to Ransomware

Ransomware is malicious software that an attacker installs on your computer or on your server. They use an exploit to gain access to your system, and then the ransomware executes, usually automatically.

Ransomware encrypts all your files using strong unbreakable encryption. The attackers then ask you to pay them to decrypt your files. Usually payment is via bitcoin. Bitcoin gives the attackers a way to create an anonymous wallet into which the ransom can be paid.

Ransomware has been around for a long time. It originally dates back to 1989 with the “PC Cyborg trojan horse virus” that would extort its victims into sending $189 to a PO Box in Panama to get their files decrypted. The encryption on that virus was easily crackable.

Ransomware today is growing fast. In 2017, 100 new ransomware variants were released into the wild, and there was a 36% year-over-year increase in ransomware attacks worldwide. The average ransomware demand increased 266% to an average of $1077 per victim. [Source: Symantec Threat Report 2017]

This year we have seen ransomware attacks on a scale that would have been hard to imagine several years ago. In May of this year, the WannaCry ransomware attack affected hundreds of thousands of people in over 150 countries. The UK National Health System was affected and had to divert ambulances away from affected hospitals.

In June we saw the Petya (eventually dubbed NotPetya or Netya) ransomware rapidly spreading, starting in Ukraine. A large number of high-profile organizations were affected, including Ukraine’s state power company, the Chernobyl nuclear reactor, Antonov aircraft, shipping company Maersk and food giant Modelez.

Today a large number of affected people and organizations actually pay attackers when they are hit by ransomware, and sometimes their files are successfully decrypted. Security organizations, including the FBI, generally advise customers to not pay attackers because this encourages the spread of this kind of attack. However, many organizations simply do not have the option of not recovering their data – and so they pay, which perpetuates this criminal business model.

Ransomware Now Targets WordPress

Most ransomware targets Windows workstations. However, the Wordfence team is currently tracking an emerging kind of ransomware that targets WordPress websites.

During our analyses of malicious traffic targeting WordPress sites, we captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files and then extort money from the site owner.

The ransomware is uploaded by an attacker once they have compromised a WordPress website. It provides the attacker with an initial interface that looks like this:

This interface provides both the encryption and decryption functionality to an attacker. The attacker then chooses a complex key, enters it into the “KEY ENC/DEC” field and hits submit.

The site is then encrypted. The result looks like this:

The ransomware will not encrypt files that have the following patterns:

  • *.php*
  • *.png*
  • *404.php*
  • *.htaccess*
  • *.lndex.php*
  • *DyzW4re.php*
  • *index.php*
  • *.htaDyzW4re*
  • *.lol.php*

For each directory that the ransomware processes, it will send an email to “” that informs the recipient about the host name and the key used to perform the encryption.

All files affected are deleted and another file takes their place with the same name, but with the “.EV” extension. This new file is encrypted.

For our technical audience: The encryption process uses mcrypt’s functionality, and the encryption algorithm used is Rijndael 128. The key used is a SHA-256 hash of the attacker-provided encryption key. Once the data is encrypted, the IV used to encrypt the file is prepended to the ciphertext, and the data is base64-encoded before it is written to the encrypted .EV file.

Decryption Is Incomplete

When the encryption process starts, the ransomware creates two files in its installation directory. The first is named “EV.php,” a file containing an interface that is supposed to allow the user to decrypt their files if they have a key. This file contains a form, but it does not work because it does not include decryption logic.

The second file is a .htaccess file that redirects requests to the EV.php file. Once your site has been encrypted, it will look like this:

This ransomware provides an attacker with the ability to encrypt your files, but it does not actually provide a working decryption mechanism. It does, however, give attackers what they need to trick affected site owners into paying a ransom. Their only goal is to encrypt your files. They don’t actually have to prove they can decrypt your files to get you to pay a ransom.

If you are affected by this ransomware, do not pay the ransom, as it is unlikely the attacker will actually decrypt your files for you. If they provide you with a key, you will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption.

How to Protect Yourself

This ransomware was first seen by Wordfence being used in a single attack attempt on July 7th. We released a malware signature to our Premium Wordfence customers on July 12th that was specifically designed to detect this ransomware and any variants.

That means our Premium customers’ firewalls have been blocking any attempts to upload this ransomware since then. The Wordfence scan also has detected the presence of this ransomware for Premium customers since July 12th.

30 days later on August 11th, this rule became available for our free community customers. If you are running Wordfence Premium or Wordfence free on your websites, you are currently protected against this attack.

Wordfence will protect you from being hit by this in the first place. We also recommend that you have reliable backups. It is important that you don’t store your backups on your web server. If, for example, they’re stored in a ZIP archive on your server, then if your site is taken over by this ransomware, the backups will also be encrypted and will be useless. Your backups should be stored offline, either with your hosting provider or using a cloud storage service like Dropbox.

Who Is Responsible

The earliest variant of this ransomware appeared in May of last year on Github. Version 2 of the ransomware is what attackers are currently using.

The first time we observed this ransomware being used in the wild to target WordPress websites was last month.

The authors of the ransomware on Github are bug7sec, an Indonesian group with a Facebook page who have listed themselves as a “business consultant.”

The source code uses Indonesian words like “kecuali,” which means “except” in English. You can see this in the source code samples below:

The function above determines whether it should exclude a file from encryption, so the word ‘except’ makes sense in this context as an Indonesian function name.

When you load the ransomware, it loads a YouTube video which is invisible, but you can hear the audio playing in the background when you view the ransomware user interface. The video plays an Indonesian rap tune and the lyrics appear to mention hacking.

The title of the video is “ApriliGhost – Defacer Kampungan.” If you look up @aprilighost on Twitter, you find this account, which links to this Indonesian Facebook account. ApriliGhost may not be the attacker, but the video is Indonesian in origin – a further Indonesian connection.

Another clue is that the ransomware seems to be connected with the website When you view the ransomware in a web browser, after a certain amount of time it will redirect you to that site, which is an Indonesian hacking forum and website with resources for hackers.

Our attack data has logged related attacks from IPs with the location of Jakarta, the capital of Indonesia. We have seen related attacks originating from several other non-Jakarta IPs, but these do not resolve to any specific location, but rather to organizations that may be used to proxy attacks. So far, Jakarta is the only location with a clear link to these attacks.

Conclusion: This ransomware was created in Indonesia, probably by bug7sec, and used by at least one Indonesian-based hacking group, from Indonesia, to target WordPress websites.

We Expect This to Evolve Into Fully Functional and Widespread Ransomware

The EV ransomware that we have documented above is incomplete, in that the decryption function does not work correctly. It does work well enough to extort money from unsuspecting website owners, although we have not yet received any reports of extortion taking place. So far we are only seeing attempts to drop this ransomeware on WordPress websites.

We expect this to evolve over the next few months into fully functional ransomware that targets both your files and database in WordPress. We also expect to start seeing incidents of extortion. For websites that do not have a firewall like Wordfence and regular backups, this may turn into a profitable business for attackers who can ransom a few thousand websites.

So far, attackers targeting WordPress have earned money only indirectly from compromised WordPress sites through techniques like email and SEO spam.

Major vulnerabilities in the WordPress ecosystem emerge from time to time – for example, the defacement campaign that the WordPress community experienced earlier this year. The next major vulnerability may see attackers switching from older business models to using ransomware to directly monetize compromised WordPress websites.

Stay Safe

As I mentioned above, Wordfence has been blocking this ransomware for our Premium customers since we first saw it used in an attack in early July. I strongly recommend that you install Wordfence Premium to protect yourself against these kinds of threats.

In September of last year, Wordfence integrated our malware scan into our firewall. This allows Wordfence to use malware signatures that we create to recognize files like this ransomware variant in our firewall. By using this technique, Wordfence will block an attempt to upload ransomware, even if the attacker used an unknown exploit.

To get the most benefit from Wordfence, I encourage you to upgrade to Premium. Not only do you get your firewall rules in real time, but you also get our malware signatures in real time from our team. In this case, you would have been protected from this new ransomware detection for over a month already by now.

An additional layer of protection against a ransomware attack is to ensure that you have good offline backups. Make sure your backups don’t live on your web server. They need to be backed up to a separate server or a cloud storage service like Dropbox or Google Drive. Keep in mind, though, that your backups are your last line of defense. It is better to avoid getting hacked in the first place.

I hope you have enjoyed this detailed post on ransomware and how it is beginning to target WordPress. If you have any questions or comments, post below and I will be around to reply.


Mark Maunder – Wordfence Founder/CEO

Thank you to Pan Vagenas for his research which contributed to this post. Also thanks to Andie La-Rosa and Dan Moen for their assistance editing this post. 

The post Ransomware Targeting WordPress – An Emerging Threat appeared first on Wordfence.


NGINX and PHP Malware Used in Petya/Nyetya Ransomware Attack

Author’s note: This is a technical blog post which I’m hoping server administrators and web hosting providers will find helpful. It also includes malware history and video footage which I hope you enjoy. ~Mark Maunder

Cisco’s Talos security group published an excellent blog post yesterday describing the recent ransomware campaign that goes by various names, including Petya, NotPetya and Nyetya. For clarity, I’m going to call it Nyetya from here on in.

The Talos team’s post provides a very clear account of how the initial ransomware infections started. In the account, they describe how the attackers reconfigured an NGINX web server to reverse proxy requests to a compromised server at a hosting provider. The Talos team also discovered a well-known malware variant on the compromised web server. This immediately got our attention because, of course, PHP malware and attack vectors are what we think about all day long at Wordfence.

In this post, I’m going to try to provide a clear picture of how the web components in the attack were used and abused by attackers. At the end of the post I’ll discuss what hosting providers and site admins can learn from this attack.

How and Why the Attacker Used NGINX Reverse Proxying to Control Infected Machines

M.E.Doc is a company in Ukraine that makes accounting software. They have many clients, and they distribute their software directly to their customers. Around April this year, their network was compromised because an attacker managed to acquire stolen credentials belonging to an administrator. Using these credentials, the attacker was able to log in and start modifying server configurations and software.

The attacker modified the nginx.conf config file on an M.E.Doc update server to reverse proxy requests to a server hosted at OVH. The server was being used by a hosting reseller called This server had been compromised by the attacker prior to launching the attack on M.E.Doc.

The attacker then modified the M.E.Doc accounting software to include their own malicious code. Unaware of the infection, M.E.Doc then distributed the compromised software to its clients as usual. Once installed on a workstation, the modified software contacted the compromised M.E.Doc NGINX server every two minutes to fetch commands the attacker wanted to run.

That request to the M.E.Doc NGINX server for commands was reverse proxied through to the compromised OVH command and control server the attacker controlled. When the attacker wanted to send commands to infected workstations, they simply set up a new command on the compromised OVH server which the workstations then dutifully fetched via the compromised NGINX server.

To summarize:

  • The attacker modified the M.E.Doc accounting software to fetch commands from a hacked M.E.Doc update server.
  • That software was distributed to clients.
  • The hacked M.E.Doc NGINX server proxied those requests for commands to a hacked OVH server.
  • Attacker sent commands back to the hacked NGINX server, which were forwarded to the compromised workstations running the M.E.Doc accounting package.

The following diagram illustrates the configuration the attacker created.

This Is Smart Because It Is Evasive

Many network administrators have intrusion detection systems on their networks. One of the intrusion methods those IDS systems look for is communication from malware to a command and control (C&C) server. The IDS systems have a database of indicators of compromise, or IOCs. Those IOCs include IP addresses of known C&C servers.

If the attacker in this case had communicated directly from the hacked M.E.Doc software to their C&C server, a network IDS would have detected it, then would have blocked the request and alerted the network administrator. Instead, the network administrators saw M.E.Doc software communicating with an M.E.Doc update server as expected, and assumed everything was okay.

How the Attacker Distributed Ransomware

Once the attacker controlled a large enough number of machines using the above technique, they simply ran a command that caused the controlled machines to fetch ransomware and install it. It was that simple. The rest is the story of the Petya/Nyetya/NotPetya ransomeware infection you’ve read about in the news recently.

The PHP Malware Used In This Attack Has a Colorful History

The Cisco Talos team also found PHP malware on the compromised NGINX machine with the following path:[.]com[.]ua/TESTUpdate/medoc_online.php [Square parentheses included for safety.]

We managed to get a sample of the malware from intelligence-sharing partners, along with the password to decrypt it. Surprise, surprise: the malware is our old friend “PAS.” Last year in December, we wrote a detailed analysis of the PHP malware used in the US election hack. The malware was released by the U.S. Department of Homeland Security as part of a set of indicators of compromise related to the election hack. We analyzed the malware back then, and found that it is well-known, widely used, freely available and is known as PAS.

We tracked down the site that provides the malware. At the time it was available from: http://profexer.[name]/pas/download.php

That site is now offline, and for good reason. Someone posted a link to the DHS report and our blog post to the forums at where the author who goes by profexer hangs out. When he discovered his web shell and website had been linked to the election hack, he presumably got nervous and took his site offline. It has been offline since then.

The malware that the Cisco Talos team found in the Nyetya ransomware attack is a version of PAS. Once you access the malware via a web interface and enter the password to decrypt it, this is what it looks like:

The Talos team don’t seem to have data showing how the PAS web shell was used in the attack. My guess is that it was just used as a convenience by the attacker to provide them with a graphical interface in a browser rather than having to use SSH and the command line.

What is interesting is that accessing this malware would have been “noisy.” It would have left a trail in the web server access logs, and if it had been accessed via HTTP and not HTTPS, it may have triggered alarms. SSH would have looked less suspicious because the only data would have been the source and target IP and the connect and disconnect. Using a web shell creates a log entry for every command run. This suggests a lack of sophistication or perhaps simply a lack of care on the attackers’ part.

Once we received this sample, we checked our own attack data to determine if this exact variant of PAS had been used to target our own customer sites. It has not; however, we did find several instances where other PAS variants had targeted customer sites. In all these cases, Wordfence successfully blocked the attacks. We’ve since confirmed that Wordfence is also blocking this specific sample.

Takeaways for Web Hosting Providers and Server Admins

As I mentioned at the start of this post, the hackers in this attack were able to compromise the M.E.Doc network using stolen credentials. If you are a hosting provider or server admin, consider using two-factor authentication for any server access, including SSH. Assuming the attacker did not have access to the credential owner’s other devices, two-factor authentication would have stopped this attack, or at least made it significantly harder for the attacker to gain access.

Better configuration management might have helped alert a system administrator to a change in an nginx.conf file. This might have also caught the malicious change in the M.E.Doc software when the file hashes changed.

If M.E.Doc had had an internal IDS configured to monitor the default gateway, they might have caught the traffic from the compromised NGINX server being reverse proxied to a compromised OVH server.

The M.E.Doc servers had reportedly not been updated since 2013. So it goes without saying: bring all your servers up to the latest patch levels, and actively maintain all other software.

The Ukraine National Police posted the video below, showing them raiding the M.E.Doc servers. Notice the “creative” server cooling tech being used at around 1:00 in the video.

As always I’ll be around to reply to any questions or comments. Stay safe out there, keep your credentials secure, and keep those servers up to date.

~Mark Maunder

The post NGINX and PHP Malware Used in Petya/Nyetya Ransomware Attack appeared first on Wordfence.


New WannaCry Ransomware and How to Protect Yourself

This is another Wordfence public service announcement (PSA) that describes new WannaCry ransomware variants that have emerged in the past few hours and describes how to protect yourself against the WannaCry ransomware, also known as the WannaCrypt ransomware. We occasionally send out alerts that are outside the WordPress space when we feel that they are in the interests of our WordPress publishers and the broader global community. This is, unfortunately, one of those alerts.

How to protect yourself against WannaCry ransomwareOn Friday we alerted you to a global ransomware campaign a few hours after it started. That campaign has now infected over 10,000 organizations and 200,000 individuals in 150 countries. This includes the UK National Health System which saw ambulances divert from affected hospitals.

On Friday a researcher accidentally stopped the ransomware from spreading by registering a domain that served as a kill switch for the ransomware.

A few hours ago new variants of the WannaCry ransomware started emerging. One of the variants was also stopped today by registering a kill switch domain, the same way the ransomware was stopped on Friday. A second variant is not encrypting infected machines due to an error in programming, but it is spreading.

We expect new variants to emerge all week that continue to exploit the vulnerability in SMB that WannaCry has been using. It is critical that Windows users protect themselves immediately against this threat.

WannaCry Ransomware: How to protect yourself

  1. If you use Windows, install the patch that Microsoft has released to block the specific exploit that the WannaCry ransomware is using. You can find instructions on this page in the Microsoft Knowledge Base. You can also directly download the patches for your OS from the Microsoft Update Catalog.
  2. If you are using an unsupported version of Windows like Windows XP, Windows 2008 or Server 2003, you can get the patches for your unsupported OS from the Update Catalog. We do recommend that you update to a supported version of Windows as soon as possible.
  3. Update your Antivirus software definitions. Most AV vendors have now added detection capability to block WannaCry.
  4. If you don’t have anti-virus software enabled on your Windows machine, we recommend you enable Windows Defender which is free.
  5. Backup regularly and make sure you have offline backups. That way, if you are infected with ransomware, it can’t encrypt your backups.
  6. For further reading, Microsoft has released customer guidance for the WannaCry attacks and Troy Hunt has done an excellent detailed writeup on the WannaCry ransomware.

Get the word out

The second wave of attacks appears to have just started within the past few hours. This is going to be a rough week for Windows users. We recommend you get the word out by sharing this post to help keep friends and family secure.

Additional resources:

The post New WannaCry Ransomware and How to Protect Yourself appeared first on Wordfence.


WordPress-Delivered Ransomware and Hacked Linux Distributions

In a rather unfortunate turn of events earlier this month, the Hollywood Presbyterian Medical Center was infected with ransomware. Ransomware, if you’re unfamiliar with it, encrypts everything on your workstation and then tells you to pay an attacker to decrypt your system and regain access to your information.

In the case of Presbyterian, they had to pay 40 bitcoins or the equivalent of $17,000 to regain access to their systems. The ransomware attack affected CT scans, documentation, lab work, pharmacy functions and their email went down. Last week they paid the attacker the $17,000 and their systems were decrypted and they’re back online.

Unfortunately WordPress has been a source of ransomware infections. It’s unknown whether it contributed to the Presbyterian attack or not. During the past month the information security industry has seen WordPress used as a kind of platform to launch ransomware attacks. It works as follows:

  • A WordPress site is hacked through any method available. That may be a brute force password guessing attack or by exploiting a vulnerability in a plugin, theme or core.
  • The attacker installs code on the WordPress site that redirects visitors to other infected websites that are running the Nuclear Exploit Kit. The redirects may happen through a series of websites to try and prevent web browsers and Google from warning you that a site is infected. The sites involved in the redirect change frequently.
  • When a visitor to the infected site is redirected, the nuclear exploit kit searches for vulnerabilities in the site visitor’s Flash Plugin, Microsoft Silverlight, Adobe Reader or Internet Explorer.
  • If Nuclear finds a vulnerability, it exploits the visitor machine and installs the TeslaCrypt Ransomware.
  • The ransomware then encrypts all files on the workstation and extorts the owner into paying to get their system decrypted.

This is what TeslaCrypt looks like:

A screenshot of the screen that TeslaCrypt displays when your files are encrypted. Courtesy Bromium Labs.

A screenshot of the screen that TeslaCrypt displays when your files are encrypted. Courtesy Bromium Labs.


As you can tell from the sequence of events above, TeslaCrypt and the attackers behind it rely on a cascade of failures. They require multiple vulnerable WordPress sites to perform their infection and to set up a chain of redirects. They then need a visitor using an unpatched workstation with vulnerable applications to visit an infected site.

The fact that Hollywood Presbyterian actually paid the ransom to regain access to their systems, speaks volumes about how effective a ransomware attack is and the impact it has on systems.

Update: If you are infected with TeslaCrypt, there is a utility available written by an anonymous researcher called TeslaCrack which may help. Thanks to Samuel who posted it in the comments below, where you can find a link to the utility along with a few other links I’ve added discussing the utility.

In another turn of events, the Linux distribution “Mint” reported on Saturday that they had their website hacked via a WordPress installation. According to Clement Lefebvre, the project leader, in reply to a comment on their blog:

“We found an uploaded php backdoor in the theme directory of a wordpress installation, which was 1 day old and had no plugins running. The theme was new but most importantly I think we had lax file permissions on this. This was only set up hours before the attack but we were probably scanned for something like this for a while. Anyhow, we don’t know yet how it was uploaded but we know it happened there, and I’m certainly not pointing the finger at anybody. People just asked if we were running wordpress or if wordpress was used in the attack and I answered yes.”

The attacker replaced the real Linux distribution that Mint users download from the site with a version that had malware installed. The modified Linux distribution turns your Linux machine into a member of an attack botnet that can be used for DDoS attacks.

As WordPress site owners, our role in this is clear. If you don’t protect your WordPress site from attackers, you risk infecting your site visitors with Ransomware, turning their machines into an attack platform, or worse.

When thinking about WordPress security, it’s important to consider the broader impact a hack might have, and the larger responsibility that we as site admins have to not just protect our own website and our investment, but our site members’ personally identifiable data and the security of visitors to our websites.

At Wordfence, we continue to provide detailed advice on how to keep your WordPress site secure including here on our blog and in our WordPress Security Learning Center. Securing your site is critically important, not just to protect your investment, but for your site visitors’ safety.

In other news: We’d like to remind all ElegantThemes customers to update their themes if they haven’t already. There was a critical security update released on Thursday that fixed a vulnerability in several of their themes. Update immediately if you haven’t done so already.

As always we welcome your comments below. Please share this with the larger community to create awareness of our larger responsibility as WordPress site administrators.

The post WordPress-Delivered Ransomware and Hacked Linux Distributions appeared first on Wordfence.