Skip to content
Naked Security Naked Security

PHP ransomware attacks blogs, websites, content managers and more…

We've had ransomware for Windows, Android, Linux, and even MS-DOS. Now there's ransomware in PHP, designed to hold your web server hostage.

Most file-scrambling ransomware is written for Windows computers, although it can encrypt files anywhere they’re writable, including Macs, file servers and cloud storage sites.

We’ve seen a few attempts at both Android and Linux ransomware.

And, if you cast your mind back, you may remember that the very first ransomware, more than 25 years ago, was the AIDS Information Trojan, that ran on good old MS-DOS.

AIDS Information Trojan “pay page” from 1989/1990

Now, sadly, we’ve got a whole new sort of ransomware, written in PHP.

What is PHP?

PHP is a programming language intended to help you produce dynamically-generated content on your web server, typically by embedding PHP commands inside your HTML pages.

Before the page is sent out by the server, the PHP script parts are executed, and replaced in the final page with the output from the script.

In the input file below, for example, the part between <?php and ?> is run by the PHP processor…

…and converted into output that looks something like this:

Many, if not most, web servers make use of PHP, automatically processing files with a .php extension before they are served up.

PHP is sort-of like JavaScript, except that the script processing is done on the server before the page goes out. JavaScript, in contrast, is sent to your browser and the script processing is done inside the browser after the page is received but before it is displayed.

PHP malware

Notably, most content and management systems, such as WordPress, Joomla and Drupal, use PHP.

In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files…

…then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request.

That’s how the malware known as Troj/PHPRansm-B works.

It infects your server by means of a file called index.php that contains:

  • File encrypting and decrypting code using PHP.
  • Style-sheet information using CSS, plus inline images.
  • A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted with the test pasword, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include your prospects and customers – will see a warning page like this:

Troj/PHPRansm-B “pay page” from 2016

Simply put, you need to fork over BTC 0.4 (0.4 bitcoins, currently about $170) to get the full password back from the crooks.

You may recognise the name “CTB-Locker” from the pay page: that name was also used by the crooks behind a widespread Windows ransomware campaign back in 2014.

(You can read about the Windows version of CTB-Locker and other ransomware variants in the SophosLabs paper The Current State of Ransomware, published in December 2015.)

If you need convincing that paying up is likely to work, you can click on the [Free decrypt] button to upload the “test” files that were encrypted with the test paswords.

Even if you use a web debugger to intercept the free decryption function, and successfully extract the test password from memory, it won’t help you to unscramble any of your other files.

And there’ even a [Chat] window where you can communicate with the crooks:

Chat room

If you have any questions or suggestions, please leave a 
english message below. To prove that you are an administrator, 
you must specify the name of the secret file that is in same 
directory with index.php. We will reply to you within 24 hours.

What to do?

  • Pick a proper password for your web server, content management system or blog. We shouldn’t have to say this, but don’t choose the same password that you have used anywhere else.
  • Consider using two-factor authentication. This usually works by sending you an SMS, or requiring you to run a special code-generating app on your phone, with a one-time code to complete your login. This means your password alone is not enough.
  • Review all your server access permissions. Make sure that guest users, for example, can’t modify files they aren’t supposed to.
  • Make sure your server is patched against security holes. This means updating the operating system, your blogging or web server software, the PHP application, your site’s themes and plugins, and much more.
  • Run a real-time anti-virus on your server. Yes, even if it’s Linux. Especially if it’s Linux. By the way, Sophos Anti-Virus for Linux is 100% free for desktops and servers, at work and at home.

PS. If you’re still not convinced that cybercrooks and malware are a problem in the Linux world, have a listen to our When Penguins Attack podcast:

LISTEN NOW

(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)


Image of locked computer courtesy of Shutterstock.

11 Comments

I think the first recommendation ought to be to keep proper backups! Doubly so for web servers as the amount of data is usually far less, and it is much easier to justify the cost.

Loosely related, this months’ BOFH item on the register includes a joke about an incompetently administered WordPress website. The punchline is that the site gets mirrored every hour to recover from the frequent hacks.

http://www.theregister.co.uk/2016/02/26/bofh_2016_episode_3/

Going after PHP servers shows their desperation because victims are choosing *not* to pay in higher numbers. I’ve had some customers hit with CTB (on Windows) and like most professionals, I simply advise not to pay. If the system owner acts quickly, and as long as no utilities have been run against the OS (file/reg cleaners & malware removers), I’ve been successful in retrieving most of the customers personal files from the sysvol info. Paul! You need to emphasize having real-time AV with 26 pt font! This is the No. 1 reason for these successful attacks. Wake up people.

Many ransomware examples deliberately delete things like restore points as part of their programming…so you really do need that offline, preferably offsite backup!

One would think that hosting sites have their users covered against this sort of thing. Or is that not a safe assumption?

Backup is a good start :-) If a hosting company has a decent version control system, you might be able to use that to roll back to a known-good state.

Of course, hosting companies offer different sorts of service – if they let you set up your own WordPress, say, or add your own plugins, or choose your own list of ste admins, it’s hard for them to protect you from yourself – they could stsrt you out omn something that’s secure, only for you to weaken it by mistake.

If you open the webpage with Sandboxie (sandboxed web browser), the encryption will disappear when you delete the sandbox. If you have Shadow Defender enabled, just restart your computer. Poof!

Accessing the infected web page triggers the encryption…but the encryption happens on the *server*, not on your computer. PHP scripts aren’t sent to your browser. They are consumed and removed from the page before it’s served up.

WordPress, Joomla these all are website making site with PHP interface. How it is can relate to the ransomware process! And what does it mean by the encryption process through the web on PHP!

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?