How can we help?
Fake ransomware warnings are popping up on WordPress sites. Fake warnings – that the user’s site has been encrypted – have been plastered across hundreds of websites causing alarm to users. The warning shows a message saying “SITE ENCRYPTED – FOR RESTORE SEND 0.1 BITCOIN” – (0.1 Bitcoin = approx. £4,500), along with a timer counting down.
Researchers from Sucuri found the malicious code in the directory of a widely used plugin called “Directorist”. It appears the plugin was already installed and then tampered with by the attacker.
Posts on an affected site are set to ‘unpublished’ but the content on the server does not appear to be affected. The only impact is the website defacement.
Websites hosted on WordPress. So far, the campaign has affected at least 300 sites.
Once the plugin is removed and the content in the database restored the rest is straightforward:
– Check admin users on the website; get rid of any false accounts and update/change all WordPress-admin passwords
– Protect your wp-admin administrator page
– Replace other passwords (database, FTP, cPanel)
Other things to consider:
– Implement a firewall for your site
– BACKUP, BACKUP, BACKUP! If hackers do encrypt or deface your website, an offline backup copy will make it easier to get the site back online.
Indicators of Compromise
None present currently.
The ransom message had been created by exploiting a weakness in a WordPress plugin named “Directorist” that was already installed on the affected sites.
The attack is a form of “scareware” – this is to frighten non-technical website-owners into paying the ransom demand.
Ransomware attacks against websites don’t often succeed. This is because owners can restore their sites from backups, restoring the encrypted files.
Past incidents, where ransomware was leveraged against websites but eventually failed, include cases such as:
|Linux.Encoder.1||the first known Linux-based ransomware targeted web servers Details||November 2015|
|CTB-Locker (web version)||targeted PHP sites||February 2016|
|KimcilWare||targeted Magento online stores||March 2016|
|Unnamed ransomware||targeted Drupal sites using an SQL injection vulnerability||May 2016|
|Heimdall||code released on GitHub was abused to ransom PHP sites||November 2016|
|EV Ransomware||targeted WordPress sites||August 2017|
T1491.002 – Defacement (External)
Sucuri – An Overview of Basic WordPress Hardening
Security Boulevard – Fake Ransomware Infection Spooks Website Owners
Threatpost – Fake Ransomware Infection Hits WordPress Sites
The Record by Recorded Future – Hundreds of WordPress sites defaced in fake ransomware attacks