PHP ransomware attacks blogs, websites, content managers and more…

Most file-scrambling ransomware is written for Windows computers, although it can encrypt files anywhere they’re writable, including Macs, file servers and cloud storage sites.

We’ve seen a few attempts at both Android and Linux ransomware.

And, if you cast your mind back, you may remember that the very first ransomware, more than 25 years ago, was the AIDS Information Trojan, that ran on good old MS-DOS.

AIDS Information Trojan “pay page” from 1989/1990

Now, sadly, we’ve got a whole new sort of ransomware, written in PHP.

What is PHP?

PHP is a programming language intended to help you produce dynamically-generated content on your web server, typically by embedding PHP commands inside your HTML pages.

Before the page is sent out by the server, the PHP script parts are executed, and replaced in the final page with the output from the script.

In the input file below, for example, the part between <?php and ?> is run by the PHP processor…

…and converted into output that looks something like this:

Many, if not most, web servers make use of PHP, automatically processing files with a .php extension before they are served up.

PHP is sort-of like JavaScript, except that the script processing is done on the server before the page goes out. JavaScript, in contrast, is sent to your browser and the script processing is done inside the browser after the page is received but before it is displayed.

PHP malware

Notably, most content and management systems, such as WordPress, Joomla and Drupal, use PHP.

In other words, if a crook has your blog password and can upload files to your server, or if you have an unpatched server plugin that allows him to modify files that are supposed to be write-protected, and he can alter one or more of your PHP files…

…then he can install a payload on your website that will trigger whenever anyone happens to visit the booby-trapped page.

Indeed, he can activate the payload himself at will by accessing the page himself in what appears to be an entirely innocent web request.

That’s how the malware known as Troj/PHPRansm-B works.

It infects your server by means of a file called index.php that contains:

  • File encrypting and decrypting code using PHP.
  • Style-sheet information using CSS, plus inline images.
  • A “pay page” using HTML and JavaScript.

The file encryption doesn’t happen every time the page is viewed, only when the crook himself submits a specially-formatted upload request in which he specifies two passwords, a “test” password and a “full” password.

Once the encryption is kicked off, two randomly-chosen files are encrypted with the test pasword, and the rest with the full password. (The encryption uses the AES cipher in CBC mode.)

Anyone else visiting the page – embarrassingly, this may very well include your prospects and customers – will see a warning page like this:

Troj/PHPRansm-B “pay page” from 2016

Simply put, you need to fork over BTC 0.4 (0.4 bitcoins, currently about $170) to get the full password back from the crooks.

You may recognise the name “CTB-Locker” from the pay page: that name was also used by the crooks behind a widespread Windows ransomware campaign back in 2014.

(You can read about the Windows version of CTB-Locker and other ransomware variants in the SophosLabs paper The Current State of Ransomware, published in December 2015.)

If you need convincing that paying up is likely to work, you can click on the [Free decrypt] button to upload the “test” files that were encrypted with the test paswords.

Even if you use a web debugger to intercept the free decryption function, and successfully extract the test password from memory, it won’t help you to unscramble any of your other files.

And there’ even a [Chat] window where you can communicate with the crooks:

Chat room

If you have any questions or suggestions, please leave a 
english message below. To prove that you are an administrator, 
you must specify the name of the secret file that is in same 
directory with index.php. We will reply to you within 24 hours.

What to do?

  • Pick a proper password for your web server, content management system or blog. We shouldn’t have to say this, but don’t choose the same password that you have used anywhere else.
  • Consider using two-factor authentication. This usually works by sending you an SMS, or requiring you to run a special code-generating app on your phone, with a one-time code to complete your login. This means your password alone is not enough.
  • Review all your server access permissions. Make sure that guest users, for example, can’t modify files they aren’t supposed to.
  • Make sure your server is patched against security holes. This means updating the operating system, your blogging or web server software, the PHP application, your site’s themes and plugins, and much more.
  • Run a real-time anti-virus on your server. Yes, even if it’s Linux. Especially if it’s Linux. By the way, Sophos Anti-Virus for Linux is 100% free for desktops and servers, at work and at home.

PS. If you’re still not convinced that cybercrooks and malware are a problem in the Linux world, have a listen to our When Penguins Attack podcast:


(Audio player not working? Download MP3, listen on Soundcloud, or read the transcript.)

Image of locked computer courtesy of Shutterstock.