Again and again, there are attacks on WordPress websites – and they are often successful. Is WordPress unsure? And if so, why? And if not, why are the attacks successful? And what do the attackers want?
August 2017: Ransomware attacks
In August 2017, Wordfence developers reported attacks by ransomware called “EV ransomware” on WordPress sites. Ransomware is malicious software that paralyzes a computer or parts of it and releases it only after paying a ransom. The paralyzing z. For example, files are encrypted or access to the computer is blocked. In general, the attacks are directed against Windows clients, but in principle this business model works, of course, with all sorts of computers – including WordPress installations.
When analyzing malicious traffic to WordPress sites, Wordfence developers have seen several attempts to install ransomware on the server. The installation of the ransomware requires that the server has already been compromised. The installed ransomware then allows the attacker to encrypt and decrypt all files except for specified exceptions with a key to be entered.
Not encrypted are files that match the following patterns:
- * .php *
- * .png *
- * * 404.php
- * * .htaccess
- * * .lndex.php
- * * DyzW4re.php
- * Index.php *
- * * .htaDyzW4re
- * * .lol.php
For each processed directory, the ransomware sends an e-mail to a given e-mail address containing the host name of the infected machine and the key used. All files that are encrypted will be deleted after encryption and through the encrypted file provided with the file extension. EV , replaced.
For encryption, mcrypt is used, as algorithm Rijndael 128 and as key of the SHA-256 hash of the key chosen by the attacker. After encryption, the initialization vector IV used is prefixed to the ciphertext and the result is then base-64 encoded into the ciphertext. EV files written.
Now it gets even nastier …
Theoretically, one could decrypt the files again. In practice, this is not possible, at least with ransomware. Before she starts encrypting, she creates two files in her installation directory:
The PHP script EV.php with an interface that looks like it decrypts the encrypted files when the correct key is entered, and one. htaccess file that forwards requests to the PHPScript.
If You do not pay ransom!
Now you should generally never respond to the demand of ransomware. On the one hand, in order not to support the cyber-criminals, on the other hand, because they are often unable to decode the data, so in this case too. Among other things for such attacks you finally have a back-up.
Anyone who paid the ransom in this case and was fortunate enough to even get the key from the cyber-criminals would not be able to access his files for a long time. After that, he had to implement a decryption function or have it implemented by third parties to decrypt the files.
So, How To Protect?
According to Wordfence, protection against this attack offers their anti-malware solution, for which a suitable signature has been developed after the first attacks were observed. Their victims thus looked in spite of the Wordfence protection in the tube. This signature got only the paying customers, all others received protection after 30 days. But do you need that? In my opinion not, because actually the protection is much simpler: The ransomware can only be installed if the server was previously compromised – and you do not want that in general. No matter what the attackers do with the hijacked server, it will never be in the interest of the operator.
So as long as you do not have a vulnerability on your server that cyber-criminals can invade, at least this ransomware will not threaten you. A future attack by another ransomware could well exploit a previously unknown vulnerability, so that even current installations are at risk. But in such cases you have to have just a current backup.
Updates are the most important protection
The best protection against it is first and foremost to keep all components up to date. And that is – quite apart from the fact that you can turn on the automatic updating for Word Press – not so easy. The update automatic ensures that only when you become aware of an attack or even just a vulnerability in the WordPress Core itself from the i. A. benefits from very fast updates. The problem that plug-ins and themes are often not patched or only patched, but this is not resolved.
WordPress is at risk. Not because it is particularly unsafe, but because it is extremely widespread on the one hand and, on the other hand, that there are always obsolete and thus insecure installations. These are then a lightweight and tempting target for cyber-criminals. And what they want is clear: make money. Either directly, by using ransomware to blackmail site operators, or indirectly, by using the WordPress websites for Drive by infections, malicious SEO, or the like, and making money from them. What can you do about it?
Well, first of all keep WordPress Core, themes and plug-ins up-to-date so that you do not fall victim to an attack on an already-fixed vulnerability. Of course this does not protect against attacks on previously unknown vulnerabilities such. For example, the XSS vulnerability in the genericons package. Therefore, it is important to harden the server. And if it comes to the worst and the server has been compromised, it is necessary to act prudently, but swiftly . Like, describes. It is very helpful, then, to have a backup that is as up-to-date as possible – and not on the server on which it may also be compromised or damaged!