Codeias is used to treat mild-to-moderate types of development pain.
WordPress Sites Subject To Fake Ransomware Attacks
- By Sarah
- General News
- 2006 Views
- 25th November 2021
Close to 300 WordPress sites have been subjected to a new wave of attacks in the last couple of weeks that have led to users seeing fake encryption notices displayed, attempting to trick site owners into paying a 0.1 bitcoin ransom to get their sites restored.
Threatpost reports that the ransom demands come with a countdown timer to instil a sense of urgency and potentially panic web admins into paying the ransom.
These ransom demands come with a countdown timer to induce a sense of urgency and possibly panic a web admin into paying the ransom.
The ransom demand of 0.1 bitcoin, which equates to roughly £4,500, might not be particularly significant compared to the amounts seen on high-profile ransomware attacks, it is still a considerable amount for many website and business owners.
The attacks were revealed by cybersecurity firm Sucuri, who was hired by one of the victims of the hack to perform incident response. The researchers discovered that the websites had not actually been encrypted, but that threat actors had modified and installed a WordPress plugin to display the ransom note and countdown.
As well as displaying the ransom note, the plugin would modify all WordPress blog posts and set their ‘post_status’ to ‘null’, which then causes them to go into an unpublished state.
The threat actors created a very simple yet powerful illusion that makes WordPress sites appear to be encrypted.
However, by removing the offending plugin and running a command to republish the posts and pages, the affected sites can be returned to normal service.
While analysing the network traffic logs, Sucuri found that the first point where the hacker’s IP address appeared was in the wp-admin panel, which means that the infiltrators were able to log on as admins on the site, either by brute-forcing the password or by using stolen credentials from dark web markets.
The attack appears to be part of a broader campaign rather than isolated attacks, which gives more weight to the second scenario.
The plugin revealed by Sucuri to be at fault was Directorist, a tool used to build online business directory listings on websites.
Sucuri has tracked approximately 291 websites affected by this attack, with a Google search showing a mix of cleaned-up sites and those still showing ransom notes.
All of the sites seen so far in the search results all use the same ‘3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc’ Bitcoin address, which has not received any ransom payments.
Protecting against site encryptions
To help prevent your WordPress site from being hacked, the following security practices are recommended:
- Review admin users on the site, remove any bogus accounts, and update/change all wp-admin passwords.
- Secure your wp-admin administrator page.
- Change other access point passwords (database, FTP, cPanel, etc).
- Place your website behind a firewall.
- Follow reliable backup practices that will make restoration easy in the case of a real encryption incident.
As WordPress is commonly targeted by threat actors, it is also important to make sure all of your installed plugins are running the latest version.
If you’re looking for a WordPress white label agency, get in touch today.
Recent Post
Red Flags That A Website May Need RedesigningOctober 31, 2023
Microsoft Will Provide AI Training To 1m People In The UKOctober 25, 2023
Different Website Layouts And How To Choose The Right OneOctober 16, 2023
Future Advancements That Could Revolutionise Website DesignOctober 4, 2023
Common Reasons Why Your Website’s Conversion Rate Is PoorSeptember 21, 2023
