Github repo

A PHP ransomware project open-sourced on GitHub is still spawning active threats, more than a year after it was released in early 2016.

The project, unimaginatively named "Ransomware," is the work of an Indonesian hacker who goes by the name of ShorTcut (or Shor7cut), a member of two hacking crews named Bug7sec and Indonesia Defacer Tersakiti.

During the past year, the source code of this project had been used in three different ransomware families targeting web servers.

Three ransomware families spawned from the GitHub project

The first one was a ransomware detected as JapanLocker, spotted in mid-October 2016 by Fortinet researchers. The name came from one of the email addresses used in the ransom note.

The second ransomware family is named Lalabitch and was spotted at the start of July 2017 by security researcher Michael Gillespie. The name came from the extension added at the end of encrypted files.

The third and most recent wave of PHP-based ransomware derived from the open-source project was also detected in July, but this version added the .ev extension at the end of encrypted files. Wordfence spotted this variant, and has been using the name EV Ransomware to detect and track its activity.

There is no evidence to link all three ransomware waves to the same distributor. Since the code was open-sourced on GitHub, we don't know if ShorTcut is behind the distribution of any family, as anyone could have cloned the repo and used it.

All three ransomware variants are duds

What it is clear is that all three — JapanLocker, Lalabitch, and EV — do not feature a proper decryption mechanism.

The ransomware can encrypt files, but an error in the decryption process prevents victims from recovering files, even if they paid the ransom and received a decryption code.

"You will need an experienced PHP developer to help you fix their broken code in order to use the key and reverse the encryption," said Mark Maunder, Wordfence CEO.

At the time of writing, none of these three ransomware families have been at the center of some massive attacks, infecting a few sites here and there.

Attackers also need to find a security flaw to exploit to install the ransomware, which sounds easier than it actually is.  An attacker needs to upload his ransomware PHP file on the server and run it to encrypt files. A visual interface is provided.

EV ransomware ransom note
EV Ransomware setup GUI [above, author view] EV Ransomware ransom note [below, victim view]

Furthermore, most websites employ an automatic backup system at the site or server-level, so webmasters can easily restore their site's content when an attacker locks their files.

Because of this, EV ransomware is in tune with other ransomware families that have targeted the server environment, being extremely inefficient at extracting ransom payments from victims.

Wordfence, who runs a web firewall for WordPress, claims that EV ransomware targets only WordPress servers. Speaking to Bleeping Computer, security researcher MalwareHunter says the attacker can run the ransomware on any type of web server and lock any website CMS.

The attacker(s) might have targeted WordPress sites with EV ransomware because it was easier for them to find vulnerable WordPress sites because of the CMS' large market share.

Other web-based ransomware has been spotted before

By no means is EV ransomware unique. Other ransomware families have targeted web servers in the past. The list include:

CTB-Locker (the web server edition, also has a desktop version)
Heimdall (also open-sourced on GitHub, not seen in active campaigns)
KimcilWare (targeted mainly Magento installations)
Linux.Encoder.1 (targeted web servers and coding repositories)

We also have to list here the author of the Rex botnet, who before entering the IoT malware scene, had hacked Drupal sites using an SQL injection and installed a defacement page made to look like a ransomware ransom note, attempting to scare victims into paying a ransom demand.

As a side note, the author of the KimcilWare ransomware is another Indonesia-based hacker. He evolved from web-based ransomware to desktop families. He is believed to have created ransomware families such as MireWare, MafiaWare, CryPy, SADStory, and L0CK3R74H4T. As we wrote in a previous article, all were junk, and the hacker never showed true coding skills.

UPDATE [August 16, 03:00 ET]: Just eight hours after we published our story, a security researcher who goes by the nickname of Guga identified a new ransomware strain targeting servers derived from the same GitHub repo.

Image credits: Michael Gillespie, Wordfence