{
	"id": "1d44decb-5adc-4053-a8b3-27d464d2f36f",
	"created_at": "2026-04-06T00:15:33.190343Z",
	"updated_at": "2026-04-10T03:24:30.03185Z",
	"deleted_at": null,
	"sha1_hash": "52f0e6239f257ba2eeaa44dbdef649a8b2cd89bf",
	"title": "Ensiko: A Webshell With Ransomware Capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49512,
	"plain_text": "Ensiko: A Webshell With Ransomware Capabilities\r\nBy Trend Micro ( words)\r\nPublished: 2020-07-27 · Archived: 2026-04-05 21:53:54 UTC\r\nThis article discusses Ensiko, a PHP web shell with ransomware capabilities that targets various platforms such as\r\nLinux, Windows, or macOS that has PHP installed. It can remotely control a system and accept commands to run\r\non the infected machine.\r\nBy: Trend Micro Jul 27, 2020 Read time: 4 min (968 words)\r\nSave to Folio\r\nEnsiko is a PHP web shell with ransomware capabilities that targets various platforms such as Linux, Windows,\r\nmacOS, or any other platform that has PHP installed. The malware has the capability to remotely control the\r\nsystem and accept commands to perform malicious activities on the infected machine.\r\nIt can also execute shell commands on an infected system and send the results back to the attacker via a PHP\r\nreverse shell. It is capable of scanning servers for the presence of other webshells, defacing websites, sending mass\r\nemails, downloading remote files, disclosing information about the affected server, brute-force attacks against file\r\ntransfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and more.\r\nTechnical Details\r\nWebshell Authentication\r\nThe malware has the ability to be password-protected. For authentication, the malware displays a Not Found page\r\nwith a hidden login form as seen in the next two figures:\r\nNot Found page and hidden login form\r\nFigure 1. Not Found page and hidden login form\r\nPHP code for password authentication\r\nFigure 2. PHP code for password authentication\r\nThe password for this sample is “RaBiitch”, while the following figure shows captured network traffic for an\r\nauthentication request to the web shell panel:\r\nCaptured network traffic\r\nFigure 3. Captured network traffic\r\nAppearance of Ensiko webshell\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 1 of 6\n\nFigure 4. Appearance of Ensiko webshell\r\nWebshell features\r\nThe following is a list of Ensiko’s capabilities:\r\nFeatures Description\r\nPriv Index Download ensikology.php from pastebin\r\nRansomware Encrypt files using RIJNDAEL 128 with CBC mode\r\nCGI Telnet\r\nDownload CGI-telnet version 1.3 from pastebin;\r\nCGI-Telnet is a CGI script that allows you to execute commands on your\r\nweb server.\r\nReverse Shell PHP Reverse shell\r\nMini Shell 2 Drop Mini Shell 2 webshell payload in ./tools_ensikology\r\nIndoXploit Drop IndoXploit webshell payload in ./tools_ensikology/\r\nSound Cloud Display sound cloud\r\nRealtime DDOS Map Fortinet DDoS map\r\nEncode/Decode Encode/decode string buffer\r\nSafe Mode Fucker Disable PHP Safe Mode\r\nDir Listing Forbidden Turn off directory indexes\r\nMass Mailer Mail Bombing\r\ncPanel Crack Brute-force cPanel, ftp, and telnet\r\nBackdoor Scan Check remote server for existing web shell\r\nExploit Details Display system information and versioning\r\nRemote Server Scan Check remote server for existing web shell\r\nRemote File Downloader Download file from remote server via CURL or wget\r\nHex Encode/Decode Hex Encode/Decode\r\nFTP Anonymous Access\r\nScanner\r\nSearch for Anonymous FTP\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 2 of 6\n\nMass Deface Defacement\r\nConfig Grabber Grab system configuration such as “/etc/passwd”\r\nSymLink link\r\nCookie Hijack Session hijacking\r\nSecure Shell SSH Shell\r\nMass Overwrite Rewrite or append data to the specified file type.\r\nFTP Manager FTP Manager\r\nCheck Steganologer Detects images with EXIF header\r\nAdminer Download Adminer PHP database management into the ./tools_ensikology/\r\nPHP Info Information about PHP’s configuration\r\nByksw Translate Character replacement\r\nSuicide Self-delete\r\nCode listing Ensiko features\r\nFigure 5. Code listing Ensiko features\r\nRansomware Analysis\r\nThe malware uses PHP RIJNDAEL_128 with CBC mode to encrypt files in a web shell directory and\r\nsubdirectories and appends filenames with the “.bak” extension. The following code snippet demonstrates this\r\nbehavior of the malware:\r\nCode showing encryption behavio\r\nFigure 6. Code showing encryption behavio\r\nEncryption and decryption code\r\nFigure 7. Encryption and decryption code\r\nWebshell portion with ransomware key\r\nFigure 8. Webshell portion with ransomware key\r\nLog of files being encrypted\r\nFigure 9. Log of files being encrypted\r\nEncrypted files in directory\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 3 of 6\n\nFigure 10. Encrypted files in directory\r\nPOST request to affected server\r\nFigure 11. POST request to affected server\r\nThe malware also drops an index.php file and sets it as the default page using a .htaccess file; the attacker is also\r\nnotified of this action via email. The following code snippet shows this behavior:\r\nCode snippet for dropped .htaccess page\r\nFigure 12. Code snippet for dropped .htaccess page\r\nThe notification that appears when index.php is accessed\r\nFigure 13. The notification that appears when index.php is accessed\r\nAppearance of index.php page\r\nFigure 14. Appearance of index.php page\r\nEncoded form of index.php\r\nFigure 15. Encoded form of index.php\r\nDecoded appearance of index.php\r\nFigure 16. Decoded appearance of index.php\r\nTool Set\r\nTo carry out more tasks on an infected system, the malware can load various additional tools onto an infected\r\nsystem. Most of these tools are loaded from Pastebin. The malware creates a directory called tools_ensikology to\r\nstore these tools.\r\nTools loaded from Pastebin\r\nFigure 17. Tools loaded from Pastebin\r\nSteganologer\r\nThere is a technique in which a malicious actor hides code within the exchangeable image file format (EXIF)\r\nheaders of an image file and uses a PHP function called exif_read_data to extract and run this code on an affected\r\nserver. The steganologer function identifies images with EXIF headers and labels them as a logger. In the\r\nfollowing screenshot, test1.jpg and test2.jpg both have EXIF headers with hidden code and are identified s.\r\nFiles with hidden code\r\nFigure 18. Files with hidden code\r\nCode for identifying files with hidden executable code\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 4 of 6\n\nFigure 19. Code for identifying files with hidden executable code\r\nBackdoor Scan\r\nA backdoor scan checks a given remote host for the existence of a webshell from a hardcoded list.\r\nfirst screenshot of code for finding other webshells on affected server\r\nSecond screenshot of code for finding other webshells on affected server\r\nFigures 20 and 21. Code for finding other webshells on affected server\r\nRemote server scan\r\nLike a backdoor scan, the remote server scan function-checks the remote server for the presence of other web\r\nshells. However, instead of using a hardcoded list, it accepts manual input for files to be searched for:\r\nInterface for checking for other webshells\r\nCode for checking for other webshells\r\nFigures 22 and 23. Interface and code for checking for other webshells\r\nMass Overwrite\r\nThe Mass Overwrite function can rewrite/append the content of all files with specified extensions and directories,\r\nincluding all subdirectories of a web shell.\r\nUser interface for overwriting files\r\nCode for overwriting files\r\nFigures 24 and 25. User interface and code for overwriting files\r\nConclusion\r\nEnsiko is a web shell used by an attacker that enables remote administration, file encryption, and many more\r\nfeatures on a compromised web server. A common method to deploy web shell is exploiting web application\r\nvulnerabilities or *gaining access to an already compromised server. Additionally, Ensiko has ransomware\r\ncapability to encrypt files on an infected web server using the RIJNDAEL encryption algorithm. It is also capable\r\nof scanning servers for the presence of other web shells, defacing websites, sending mass emails, downloading\r\nremote files, disclosing information about the affected server, gaining access to databases, running brute-force\r\nattacks against file transfer protocol (FTP), cPanel, and Telnet, overwriting files with specified extensions, and\r\nmore.\r\nIndicators of Compromise\r\nSHA-256 Hash Trend Micro Detection Name\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 5 of 6\n\n5fdbf87b7f74327e9132b5edb5c217bdcf49fe275945d502ad675c1dd46e3db5 Trojan.PHP.WEBSHELL.SBJKSJ\r\nTags\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/"
	],
	"report_names": [
		"ensiko-a-webshell-with-ransomware-capabilities"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434533,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/52f0e6239f257ba2eeaa44dbdef649a8b2cd89bf.pdf",
		"text": "https://archive.orkl.eu/52f0e6239f257ba2eeaa44dbdef649a8b2cd89bf.txt",
		"img": "https://archive.orkl.eu/52f0e6239f257ba2eeaa44dbdef649a8b2cd89bf.jpg"
	}
}