17 November 2021

Hundreds of WordPress websites targeted in fake ransomware attacks


Hundreds of WordPress websites targeted in fake ransomware attacks

Nearly 300 WordPress websites were targeted in a new wave of attacks displaying fake ransomware infection notices in attempt to trick site owners into paying a ransom demand.

The new campaign was uncovered by researchers at cybersecurity firm Sucuri while investigating a security incident that affected one of their customers. The compromised website displayed a warning indicating that it was hit by ransomware. The files appeared to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin (approx. $6,000).

However, upon closer examination, it became clear that the website was not encrypted, but rather the attackers modified an installed WordPress plugin, which generated a simple HTML page to display a ransom note.

According to researchers, the ransom message had been generated by exploiting a vulnerability in a WordPress plugin named Directorist that was already installed on the affected sites.

The researchers also noticed that the malicious plugin would modify all the WordPress blog posts and set their 'post_status' to 'null,' making content in the database invisible.

Digging further, Sucuri found that the first point where the actor's IP address appeared was the wp-admin panel, meaning that the hackers had already established administrator access to the website before they began their attack.

At the time of writing, the campaign has hit 291 WordPress websites, according to a Google search result for the text included in the ransom note.


Back to the list

Latest Posts

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Amid Pegasus scandal, Israel bans cyber software sales to 65 countries

Dropped countries include such countries as Morocco, Mexico, Saudi Arabia, or the UAE.
26 November 2021
CronRAT: New Linux malware that hides behind February 31 to stay undetected

CronRAT: New Linux malware that hides behind February 31 to stay undetected

The malware hides in the Linux calendar system and enables server-side Magecart data theft which bypasses browser-based security solutions.
26 November 2021
New malware campaign targets crypto, NFT and DeFi communities via Discord

New malware campaign targets crypto, NFT and DeFi communities via Discord

The Babadeda crypter is able to bypass signature-based antivirus solutions and was previously observed in malicious campaigns distributing RATs, and LockBit ransomware.
26 November 2021