“During our analyses of malicious traffic targeting WordPress sites” the report states “we captured several attempts to upload ransomware that provides an attacker with the ability to encrypt a WordPress website’s files.”
For every directory that the ‘EV Ransomware’ successfully encrypts, an email is generated to inform the attacker of the hostname and key used. The encryption appears to use mcrypt, and the Rijndael 128 algorithm with a SHA-256 hash key.
It seems that the attack is badly coded, however, and decryption logic is missing from the supposed ‘ransom paid’ form. Victims wouldn’t be able to regain control of their files even if the ransom were to be paid.
This is bad news for those individuals and SME’s that tend to favour WordPress on grounds of cost and simplicity. Which doesn’t mean that larger enterprises are off the hook; threat actors will turn their attention to the broader web property space if a profit can be made.