Ensiko
Ensiko is the name of a threatening tool that an unknown group of cybercriminals uses to wreak havoc to vulnerable Web servers around the world. Ensiko does not operate as a separate piece of malware that can be run by random victims and, instead, it must be planted on Web servers whose security has been compromised manually. It is important to add that Ensiko only can run if the hacked server has PHP running. In general, Ensiko works like a Web shell that enables a remote attacker to execute various tasks on the compromised Web server – what is even more peculiar is that Ensiko's features enable it to cause harm to Linux, macOS and Windows servers alike.
One of the most interesting features of the Ensiko Web shell is its ability to execute a file-encryption attack against the hacked Web server. The ransomware component uses the '.bak' extension to rename locked files, and it relies on the RIjandel-128 cipher to lock files. Instead of targeting specific files, the Ensiko Ransomware module will encrypt entire directories, as well as all sub-folders they contain.
The creators of Ensiko have taken severe measures to protect their Web shell from unauthorized access – if anyone tries to load the URL of the Ensiko implant, they will see a fake 404 message that contains a hidden authorization field that the criminals can use to enter their password. Once the attackers have authorized themselves, they will have full access to all of the Ensiko Web shell features. They can:
- Check the infected host for other active Web shells and terminating them.
- Download additional modules from a pre-made PasteBin page.
- Download CGI-Telnet, a utility that enables remote command execution.
- Open a reverse PHP shell.
- Use a mass defacing tool that can overwrite PHP and HTML files with custom content.
- Bruteforce local Web services like FTP, cPanel, phpMyAdmin and others.
- Download files.
- Manage files.
- Self-delete.
Web administrators should secure their servers by applying the latest updates to all software and services. In addition to this, they should make sure that all login credentials are unique, and use a password consisting of symbols, numbers, and a combination of lowercase and uppercase letters. The Ensiko is deployed on compromised Web servers exclusively, and weak login credentials or vulnerable services are the usual infection vectors.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.