Nov 17, 2021
0 0

WordPress sites are being hacked in fake ransomware attacks

Written by

Windows 10 21H2 is released, here are the new features
New Rowhammer technique bypasses existing DDR4 memory defenses
WordPress sites are being hacked in fake ransomware attacks
Emotet malware is back and rebuilding its botnet via TrickBot
TikTok phishing threatens to delete influencers’ accounts
Victims of $2 billion BitConnect fraud to get back $57 million
US, UK warn of Iranian hackers exploiting Microsoft Exchange, Fortinet
CISA releases cybersecurity response plans for federal agencies
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
A new wave of attacks starting late last week has hacked close to 300 WordPress sites to display fake encryption notices, trying to trick the site owners into paying 0.1 bitcoin for restoration.
These ransom demands come with a countdown timer to induce a sense of urgency and possibly panic a web admin into paying the ransom.
While the 0.1 bitcoin (~$6,069.23) ransom demand is not particularly significant compared to what we see on high-profile ransomware attacks, it can still be a considerable amount for many website owners.
These attacks were discovered by cybersecurity firm Sucuri who was hired by one of the victims to perform incident response.
The researchers discovered that the websites had not been encrypted, but rather the threat actors modified an installed WordPress plugin to display a ransom note and countdown when 
In addition to displaying a ransom note, the plugin would modify all the WordPress blog posts and set their ‘post_status’ to ‘null,’ causing them to go into an unpublished state.
As such, the actors created a simple yet powerful illusion that made it look as if the site had been encrypted.
By removing the plugin and running a command to republish the posts and pages, the site returned to its normal status.
Upon further analysis of the network traffic logs, Sucuri found that the first point where the actor’s IP address appeared was the wp-admin panel.
This means that the infiltrators logged in as admins on the site, either by brute-forcing the password or by sourcing stolen credentials from dark web markets.
This was not an isolated attack but instead appears to be part of a broader campaign, giving more weight to the second scenario.
As for the plugin seen by Sucuri, it was Directorist, which is a tool to build online business directory listings on sites.
Sucuri has tracked approximately 291 websites affected by this attack, with a Google search showing a mix of cleaned-up sites and those still showing ransom notes.
All of the sites seen by BleepingComputer in search results use the same 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc Bitcoin address, which has not received any ransom payments.
Sucuri suggests the following security practices to protect WordPress sites from being hacked:
As WordPress is commonly targeted by threat actors, it is also important to make sure all of your installed plugins are running the latest version.
Ironic twist: WP Reset PRO bug lets hackers wipe WordPress sites
BlackMatter ransomware moves victims to LockBit after shutdown
WordPress plugin bug impacts 1M sites, allows malicious redirects
Italian celebs’ data exposed in ransomware attack on SIAE
Sandhills online machinery markets shut down by ransomware attack
Not a member yet? Register Now
New Microsoft emergency updates fix Windows Server auth issues
High severity BIOS flaws affect numerous Intel processors
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.