Search This Blog

Powered by Blogger.

Blog Archive

Labels

WordPress Sites Hacked in Fake Ransomware Attacks

Attackers displayed false encryption notices with the goal to trick website owners to pay a ransom of 0.1 bitcoin for recovery.

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.
Share it:

Cyber Attacks

Ransom Attack

Ransom Payment

Ransomware

WordPress

WordPress Plugin