Php Ransomware

The Php Ransomware is a file-locking Trojan from the Dharma Ransomware's family, a Ransomware-as-a-Service business The Php Ransomware can block your access to digital media by encrypting it and may remove the Shadow Volume Copies as part of its extortion attempt. Server security protocols can stop infections before they occur, backups can limit the damage, and anti-malware utilities can uninstall the Php Ransomware safely from a compromised system.

Trojans Describing Their Targets through Extensions

Two parallel-running variants of the Dharma Ransomware are leaving exceptionally transparent indicators of what victims they're looking at for their file-locking needs. The payloads of these threats – the Php Ransomware, and the Dqb Ransomware – lack any internal updates for separating them significantly from old relatives like the Dharma-Gate Ransomware,the LOVE Ransomware the 'seeyoubro@tutanota.com' Ransomware, or the 'sebekgrime@tutanota.com' Ransomware. The extensions that the Php Ransomware and its twin use, however, are more meaningful than one might think.

Threat actors can rent a Ransomware-as-a-Service like the Dharma Ransomware family after paying a fee or a percentage of the ransoms that they collect. In doing so, they can make cosmetic-oriented changes, such as changing the address of the ransom note or the extension that the Trojan appends onto any filenames. The Php Ransomware's extension is of interest to malware researchers for its being a reference to PHP, a Web development-oriented scripting language.

The Php Ransomware's theme implies the not-unusual behavior of its campaign's targeting business and government networks or servers, instead of individual, casual-use PCs. Threat actors favoring this strategy may design e-mail messages with their victims in mind, including custom attachments and macro-hosting documents, or target entities according to whoever's using vulnerable software or login combinations. Examples of relevant vulnerabilities in the latter cases include factory-default passwords and weaknesses like CVE-2017-5340 in the pre-7.1.1 version of PHP.

Like any file-locking Trojan, the Php Ransomware's most crucial feature is an encryption routine that blocks the system's files, such as databases or documents. Modern versions of its family have no working, public decryptors and they're secure against free solutions.

Removing the Guesswork from Your Server's Safety

Aside from an extreme minority of attacks that abuse zero-day exploits, nearly all file-locking Trojans are using infection vectors that users can shut down preemptively. Workers with education on the formats of phishing lures can identify these tactics and avoid unsafe interactions with harmful content, such as a corrupted PDF that's pretending that it's an invoice. Server admins can update their software, use unique passwords, and disallow public RDP access for hardening the server's defenses.

The Php Ransomware includes other symptoms besides locking files and changing their names slightly. It also creates ransom notes, which malware experts categorize as being small updates to previous messages from Dharma Ransomware, as well as erasing the Shadow Volume Copies. The second attack may be of more concern to any victims since it prevents any Restore Point-dependant recoveries.

Without a free decryptor, like most Trojans of this class, preventing or promptly removing infections becomes even more essential than ordinarily. Users with appropriate anti-malware software should delete the Php Ransomware while scanning their computers or identify an installation attempt automatically.

The Php Ransomware is a new worry for server admins, but it's not very different from the targets that, already, should be on everyone's radars. Users without backups are putting both their data and their finances in a ticking time bomb situation that Dharma Ransomware's kin can exploit happily.