Home / Threat Intelligence bulletins / Fake Ransomware Popping Up On WordPress Sites


Fake ransomware warnings are popping up on WordPress sites. Fake warnings – that the user’s site has been encrypted – have been plastered across hundreds of websites causing alarm to users. The warning shows a message saying “SITE ENCRYPTED – FOR RESTORE SEND 0.1 BITCOIN” – (0.1 Bitcoin = approx. £4,500), along with a timer counting down.

Researchers from Sucuri found the malicious code in the directory of a widely used plugin called “Directorist”. It appears the plugin was already installed and then tampered with by the attacker.


Posts on an affected site are set to ‘unpublished’ but the content on the server does not appear to be affected. The only impact is the website defacement.

Affected Products

Websites hosted on WordPress. So far, the campaign has affected at least 300 sites.


Once the plugin is removed and the content in the database restored the rest is straightforward:
– Check admin users on the website; get rid of any false accounts and update/change all WordPress-admin passwords
– Protect your wp-admin administrator page
– Replace other passwords (database, FTP, cPanel)

Other things to consider:
– Implement a firewall for your site
– BACKUP, BACKUP, BACKUP! If hackers do encrypt or deface your website, an offline backup copy will make it easier to get the site back online.

Indicators of Compromise

None present currently.

Threat Landscape

The ransom message had been created by exploiting a weakness in a WordPress plugin named “Directorist” that was already installed on the affected sites.

The attack is a form of “scareware” – this is to frighten non-technical website-owners into paying the ransom demand.

Ransomware attacks against websites don’t often succeed. This is because owners can restore their sites from backups, restoring the encrypted files.

Past incidents, where ransomware was leveraged against websites but eventually failed, include cases such as:

Name Details Date
Linux.Encoder.1 the first known Linux-based ransomware targeted web servers Details November 2015
CTB-Locker (web version) targeted PHP sites February 2016
KimcilWare targeted Magento online stores March 2016
Unnamed ransomware targeted Drupal sites using an SQL injection vulnerability May 2016
Heimdall code released on GitHub was abused to ransom PHP sites November 2016
EV Ransomware targeted WordPress sites August 2017