Fake Ransomware attacks on WordPress sites

Fake Ransomware attacks on WordPress sites

Around 300 hacked WordPress sites showed a fake encryption notice demanding a 0.1 bitcoin ransom. This was shown with a count down and a message mentioning “FOR RESTORE SEND 0.1 BITCOIN”. As 0.1 bitcoin is not a negligible amount for a web admin compared to ransom we have seen before. However, a victim hired the cyber security firm Sucuri who discovered these fake Ransomware attacks.

Researcher at Sucuri was able to discover that the websites are not encrypted and its only a word pressed plugin which is modified to display a countdown and a ransom note. “However, when we began our investigation into the website it turned out that nothing was encrypted at all! Normally when ransomware attacks website files the extension is changed to .lock or something similar, and the files have been rendered as unreadable, encrypted rubbish” said Ben Martin researcher from Sucuri

The site was back to normal after removing the plugin from the wp-content/plugins directory and running a command to republish the posts and pages. By further analysis Surcuri has able to determine the source “The first request that we saw from the attacker IP address was from the wp-admin panel, suggesting that they had already established administrator access to the website before they began their shenanigans. Whether they had brute forced the admin password using another IP address or had acquired the already-compromised login from the black market is anybody’s guess.”

Recommendations by Sucuri

  • Review admin users on the site, remove any bogus accounts and update/change all wp-admin passwords
  • Secure your wp-admin administrator page
  • Change other access point passwords (database, FTP, cPanel, etc)
  • Place your website behind a firewall
  • Don’t forget about reliable backups as it will be easy to restore it from the latest backup in case of an encryption incident.
  • Make sure the plugins are update to latest version

Reference