Home php Obfuscation Techniques in Ransomweb “Ransomware”

Obfuscation Techniques in Ransomweb “Ransomware”

17 min read

As important belongings for a lot of enterprise operations, web sites and their internet hosting servers are sometimes the goal of ransomware assaults — and in the event that they get taken offline, this could trigger main points for a enterprise’ information, income, and finally popularity.

The worst half about ransomware is that it encrypts information and removes the unique encrypted copies. This implies if victims don’t have backups of their recordsdata and databases, there might not be any solution to recuperate the kidnapped information with out paying the ransom.

“All Your Recordsdata Can’t Be Recovered”

A small enterprise proprietor lately contacted us about their hacked web site. It had been defaced and was displaying the next message:

The image on the left of the picture is the coat of arms for Indonesia, Garuda Pancasila

Upon discovery, the web site proprietor instantly tried to entry their web site’s recordsdata by way of a file supervisor interface and FTP. Sadly, all the info inside the web site recordsdata appeared to have been encrypted and file names appended with .xploiter.


The attacker’s message warned that each one information had been misplaced and was unrecoverable. For the reason that web site’s file information was modified together with the file names, it might appear to point the sufferer was concerned in a ransomware assault. The one drawback was that there was no solution to talk with the attacker, and no ransom or demand had been made.

Ransomware, as its identify signifies, usually entails some kind of ransom or demand made by the attacker, permitting them to revenue off of the assault.

It’s potential that this attacker was simply “locking” web site information for enjoyable, or they have been training for future makes an attempt towards larger targets.

Encrypted or Obfuscated?

When making an attempt to view the info from one of many “encrypted” .xploiter recordsdata, it exhibits unreadable binary information:

"""��"�╼ #file index.php.xploiter
index.php.xploiter: information

�"""��"�╼ #cat -A index.php.xploiter
M-(`^_M-=# ^OM-$^QM-N>M-*cM-DM-^T@M-^F`M-M M-IxWCM-'MM-^BM-^KM-1^HM-Jcr%M-q^MM-R}M-^R6nM-B?^SX/UM-JM-<[M-XM-uM-VM-^O;M-^MRaM-,M-Y^D7m^FM-=D9M-$M-^@M-PM-ZM-4RM-1;M-'M-^W^B|&M-,M-^YM-^SQOA^NM-orM-UM-biS|7M-oM-~M-aM-,M-&M-^YM-8xM-}LM-^AM-^[^ZM-zM-a_eM-^DM-^{M-;`^U^M-^LM-C;(M-OGM-qvjEM-wM-M->M-6M-'r^K^TgM-^DM-MM-}M-bM-^ECM-~M-g/EM-kM-.M-^FM-78!/2M-^K:M-^M-^BM-^UM-^DM-^Y^ZM-qc6M-^QM-1M-JD''~^HM-1^?9M-4BM-@^Fj(M-^[M-?M-{*M-3M-l^K

This makes it easy to assume that the files are indeed encrypted and therefore unrecoverable without the encryption key.

On the other hand, if the file’s data was obfuscated then it would be possible to recover the file data by reversing the obfuscation steps.

Unlocker File Exposes Attacker

With website ransomware, attackers may leave behind an unlocker file. This can be used by the victim to decrypt the locked files once they have been given the encryption key in exchange for the ransom. This solution makes sense for encrypted data, since the PHP source code alone wouldn’t be enough to recover encrypted data.

In this particular incident, the attacker left behind a PHP file named openeds.php which was obfuscated and not human readable until it was deobfuscated.

When loading the file in a browser and translating it from Indonesian to English, however, it became clear that it was the unlocker file:

Unlocker file for encrypted content

After deobfuscating the file’s contents, I was able to isolate the lines of code responsible for unlocking, or recovering, the “encrypted” .xploiter files:

$pass = "fbb749bdca9f42b694c4b99dd7f1919a";
$mail = "[redacted]";
$dps  = "index.php";
    if(md5($_POST["pass"]) == $move){
        operate BukaFile($NamaFile){
            if(strpos($NamaFile,'.xploiter') === FALSE){

$Buka = gzinflate(file_get_contents($NamaFile));
file_put_contents(str_replace('.xploiter', '', $NamaFile), $Buka);
// Above two strains are liable for recovering the locked recordsdata

// Hapus File

echo "$NamaFile => Terbukan";
echo "<hr>
<p class="text-light">Unlock File</p>
<textarea class="form-control text-dark" disabled rows="8">";

        operate BukaDir($dir){
            $recordsdata = array_diff(scandir($dir), array('.', '..'));
            foreach($recordsdata as $key){

This code reveals that the “encrypted” recordsdata aren’t actually encrypted, however slightly obfuscated utilizing the gzdeflate operate which compresses the textual content and turns it into unreadable binary — making the file contents just about inconceivable for people to learn with out deobfuscation.

Most significantly, which means the recordsdata are recoverable. The unlocker file merely makes use of the other of gzdeflategzinflate — to recuperate the recordsdata and return them to their unique state.

Recovering Web site Recordsdata

It’s potential to check out this deobfuscation course of utilizing the next PHP code.

$NamaFile = "a-file.php.xploiter";
//change above $NamaFile variable to any .xploiter file you need to recuperate$Buka = gzinflate(file_get_contents($NamaFile));
file_put_contents(str_replace('.xploiter', '', $NamaFile), $Buka);

Within the unlocker file discovered on the compromised web site, nevertheless, the method is dealt with just a little otherwise. It requires the consumer to know the password and submit it with their request to the unlocker — on this case, the MD5 hash is fbb749bdca9f42b694c4b99dd7f1919a.

This performance basically password-protects the deobfuscation course of, however when you have entry to the unlocker file then you may merely take away the password safety or change the password to one thing you already know — for instance,  we all know the MD5 hash worth for ‘admin’ is 21232f297a57a5a743894a0e4a801fc3.

Right here is an instance of the unlocker file in motion and loaded within the browser. As soon as the password safety has been eliminated or modified, the recordsdata are unlocked and returned to their unique state.

Unlocker file loaded in browser

I used to be in a position to efficiently check this performance out on a couple of unrelated web sites that have been hit with this similar malware. Web site recordsdata had been changed with the obfuscated .xploiter recordsdata, so this file naming conference is clearly not particular to our consumer’s web site.

I used the next script to carry out the deobfuscation by  importing it to the listing containing the .xploiter recordsdata after which loading the script in my browser.

<html lang="en">
    <meta charset="utf-8">
    <meta identify="viewport" content material="width=device-width, initial-scale=0.75, shrink-to-fit=no">
      <meta identify="creator" content material="@rootprivilege">
      <meta identify="description" content material="RansomWeb Restoration">
    <!-- Bootstrap CSS -->
    <hyperlink rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="nameless">
    <title>RansomWeb Restoration</title>
  <physique class="bg-dark">
            <small class="text-light">
               This could hopefully recuperate any .xploiter recordsdata, or till they alter the obfuscation/transfer to precise encryption.

    <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="nameless"></script>
    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.3/umd/popper.min.js" integrity="sha384-ZMP7rVo3mIykV+2+9J3UJ46jBk0WLaUAdn689aCwoqbBJiSnjAK/l8WvCWPIPm49" crossorigin="nameless"></script>
    <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js" integrity="sha384-ChfqqxuZUCnJSK3+MXmPNIyE6ZbWh2IMqE241rYiqJxyMiZ6OW/JmZQ5stwEULTy" crossorigin="nameless"></script>
$dir = getcwd();
      operate UnlockFile($NamaFile){
         if(strpos($NamaFile,'.xploiter') === FALSE){
$unlock = gzinflate(file_get_contents($NamaFile));
file_put_contents(str_replace('.xploiter', '', $NamaFile), $unlock);

echo "$NamaFile => Unlockedn";
echo "<hr>
<p class="text-light">Unlocked Recordsdata:</p>
<textarea class="form-control text-dark" disabled rows="8">";

      operate UnlockDir($dir){
         $recordsdata = array_diff(scandir($dir), array('.', '..'));
         foreach($recordsdata as $key){


Assaults like these could be difficult to navigate, particularly in the event you don’t have off-site backups of your database and web site.

On this explicit occasion, the incident didn’t develop into a real ransomware assault and the sufferer was not supplied with any steps in any respect to recuperate their information. The malware had merely obfuscated the file contents — not utterly encrypted them, which is usually the case with ransomware assaults — and we have been in a position to rectify the problem and restore their web site.

Ongoing safety is vital to stopping malware infections and compromises like these within the first place. Preserve software program patched with the newest updates, keep common information back-ups and retailer them off-site, and observe web site hardening steps to mitigate danger. You can even leverage an online utility firewall to patch recognized vulnerabilities and thwart malicious exercise.

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Evaluate Spinnaker vs. Jenkins for CI/CD

CI/CD instruments like Jenkins and Spinnaker add worth to utility supply pipelines. …