EV, or EV Ransomware, targets WordPress websites that are vulnerable to compromise. Once compromised, the hacker behind the campaign launches the ransomware encryption routine from a user interface that provides various options. EV uses the Rijndael 128 encryption algorithm and appends .EV to the names of encrypted files. After each targeted directory is impacted, EV sends an email containing the host name and the encryption key to htaccess12@gmail.com. However, according to researchers at Wordfence, the encryption process actually damages code within the impacted files and the decryption key will not be able to unlock encrypted files. Since the files become damaged in this attack, it is recommended for administrators of WordPress-powered websites to make and maintain reliable backups of their website files and keep them stored offline and in a secure location.

  • Wordfence has more information about EV Ransomware here.
  • The NJCCIC is not aware of any decryption tools available for EV Ransomware.

Image Source: Wordfence