17 November 2021

Hundreds of WordPress websites targeted in fake ransomware attacks


Hundreds of WordPress websites targeted in fake ransomware attacks

Nearly 300 WordPress websites were targeted in a new wave of attacks displaying fake ransomware infection notices in attempt to trick site owners into paying a ransom demand.

The new campaign was uncovered by researchers at cybersecurity firm Sucuri while investigating a security incident that affected one of their customers. The compromised website displayed a warning indicating that it was hit by ransomware. The files appeared to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin (approx. $6,000).

However, upon closer examination, it became clear that the website was not encrypted, but rather the attackers modified an installed WordPress plugin, which generated a simple HTML page to display a ransom note.

According to researchers, the ransom message had been generated by exploiting a vulnerability in a WordPress plugin named Directorist that was already installed on the affected sites.

The researchers also noticed that the malicious plugin would modify all the WordPress blog posts and set their 'post_status' to 'null,' making content in the database invisible.

Digging further, Sucuri found that the first point where the actor's IP address appeared was the wp-admin panel, meaning that the hackers had already established administrator access to the website before they began their attack.

At the time of writing, the campaign has hit 291 WordPress websites, according to a Google search result for the text included in the ransom note.


Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024