MalwareGone Threat Analysis – PHP Ransomware

Today we’re going to explore a newer type of threat: Ransomware or, more precisely, PHP Ransomware. Ransomware attacks have increased greatly over the last few years and many variations have been made and are still being used in the wild. First, we should define what we mean when we talk about Ransomware. We’re specifically talking about a piece of code or software that encrypts your files in place and demands a ransom payment to receive the key that decrypts your files. So, if you are the victim of a ransomware attack and do not have recent, verified backups you could be in trouble! You have no other way to retrieve your files besides paying the ransom unless the ransomware is an old one and security companies have already created the software that decrypts it. If you are curious, here is a list of Ransomware Decryptor Tools: (use at your own risk!)

How does a ransomware infect a computer?

Traditional Ransomware usually affects personal computers and is delivered by email or infected websites. Whether in an email attachment or served from a hacked website, possibly using drive-by download techniques, the payload may disguise itself as a PDF, Flash, Adobe or Java update or some other type of executable. According to this PhishMe Q1 2016 Malware Review report, 9 out of 10 phishing emails sent in March 2016 carried a ransomware payload. Read the full report here:


What about PHP Ransomware?

Since PHP is a widespread language used on many CMS sites like WordPress, Joomla, and Drupal, why not develop ransomware in PHP that is able to:

  • Encrypt and decrypt files
  • Give correct instructions on what happened
  • How to proceed and buy bitcoins
  • Direct link for payment and key delivery
  • Customer support

This kind of ransomware already exists and some of them require practically no interaction from the attacker. Everything from the infection to encrypting files, verifying payment and sending the decryption key is automated. So you have a piece of software that works for the attacker with very little effort and the payments are hard to trace since most of them only accept Bitcoin.

Heimdall Open Source Ransomware


Today we are going to analyze a PHP Ramsonware package created by a Brazilian developer called Heimdall. According to the developer, Lenon Leite, the ransomware was created as a proof-of-concept and it was available as open source on GitHub. However, as of now, the code was removed from its original repository due to criticism about how the code could be used for malicious purposes. However, you can still find the code since other developers forked the original repository before it was removed: It was released on October 26, 2016, but so far there has been no report of it being used in the wild.

Analyzing Heimdall


When you access the main Heimdall PHP file on a web server you get the nice GUI above that is basically an interface for the attacker to enter the password that will be used by ransomware to encrypt the files on the server using the AES-128-CBC encryption algorithm. It encrypts everything from the $_SERVER[‘DOCUMENT_ROOT’] folder which is the: “[…] root directory under which the current script is executing, as defined in the server’s configuration file” –

So everything inside the web server’s content folder will be encrypted. When executing our proof of concept test, we also found that Heimdall shows a log of its activity during the encryption process as you can see below:


Here is the function that is used for encrypting files:


Once it is done, all files will have their name changed to a base64 code that has  the “Heimdall” string at the beginning of it.


The function for decrypting files is similarly simple:


However, you have to define the correct information to decrypt the content:


For performance, the interface uses jQuery to execute the call for the encryption using 500-byte code blocks to reduce the number of requests and avoid a buffer overflow:


If you are interested in more insight, the original developer published a video on YouTube showing how to use Heimdall:

How to protect your server and yourself

After this, you must be wondering how to defend yourself and avoid being attacked by this kind of malware. First things first:

  • Choose your passwords wisely, especially for your server, CMS or blog. Rotate them often and consider using tools like 1Password or LastPass to generate and protect your strong passwords.
  • Use two-factor authentication! It adds an extra layer of security to your credentials, so even if your password is leaked they would still have to steal your phone to be able to access your account. This site shows all the services that allow you to enable 2FA:
  • Review all your server access and files permissions. Don’t leave sensitive files in folders that can be accessed by anyone like /tmp.
  • Make sure your server is up to date to protect against any well-known vulnerabilities. Not just the OS, but the web server and all the applications installed on it as well. This includes WordPress and all themes and plugins!
  • Run a real-time antivirus protection on your server, even if it’s Linux. There are many great tools out there for free. See what suits best your needs!

  • Finally, of course, have good backups! You should have an off-site backup for all of your data.

If you have any suggestions for our next article or would like us to analyze a malicious file, please send it to us that we’ll take a look. Enjoy!


Leave a comment

Your email address will not be published. Required fields are marked *