What Is the PHP Ransomware Project?

More often than not, people wonder where all of these new ransomware threats keep coming from. One answer is a PHP open-source project called “Ransomware” which can be accessed through GitHub. It is a popular project and one that has been active since early 2016. Researchers believe this GitHub project was developed by an Indonesian hacker who is also a member of two large hacking crews. It seems the open-source code presented in this repository has been identified in a few other ransomware types discovered over the past twelve months.

PHP Ransomware Project is Still Going Strong

You may not have heard of the PHP Ransomware Project. The project has been around for over a year, but no one would expect code on GitHub to spawn as many different malware creations as it has. Its code has now been discovered in a number of variations of malware released since early 2016.

Not all of those ransomware strains were developed by the same person who created the PHP project in the first place. Instead, individuals accessed this code freely through Github and used it to build their own projects accordingly. It is pretty common to see ransomware developers take code from existing projects, but less common for a particular GitHub repository to be designed specifically for that purpose.

Researchers successfully identified a few critical ransomware types using this repo’s source code. JapanLocker was the first, which made a bit of an impact last July. Lalabitch, released in July of this year, was another malware variant which made use of this particular repo’s source code. Last but not least, EV Ransomware is the latest strain of its kind to make use of the code. We may very well see new types based on the PHP Ransomware repository in the future. For now, though, most of the activity has subsided.

Since the source code for all three ransomware projects was made publicly available, it is impossible to tell who is behind these individual developments. It is certainly possible the alleged creator of this GitHub repo is the person responsible for at least one version of the ransomware, but there is no hard evidence to back that up. One thing is for sure: none of the three aforementioned ransomware types has a decryption mechanism, which is concerning to security experts.

Ransomware is designed in such a way that it forces victims to pay a ransom — often in Bitcoin — in order to have their encrypted files decrypted. Without a decryption mechanism in place, that becomes impossible, regardless of whether or not victims pay the demanded sum.  Unfortunately, this has slowly become a new trend in ransomware, as we have seen a few versions which do not include any decryption capability whatsoever. This does not mean their code does not have encryption capabilities, but rather the code is so buggy that it becomes nearly impossible to get files decrypted easily.

All of this goes to show that web-based ransomware is an emerging trend. Making source code of existing ransomware projects freely accessible will create a lot of new problems for computer users. Especially in the web-based ransomware department, that could prove quite problematic. Malicious software capable of attacking websites, for example, is currently quite unusual, but is expected to become a more popular trend over the next few years. We can only hope for better decryption mechanisms when that time comes.