Nearly 300 WordPress websites were targeted in a new wave of attacks displaying fake ransomware infection notices in attempt to trick site owners into paying a ransom demand.
The new campaign was uncovered by researchers at cybersecurity firm Sucuri while investigating a security incident that affected one of their customers. The compromised website displayed a warning indicating that it was hit by ransomware. The files appeared to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin (approx. $6,000).
However, upon closer examination, it became clear that the website was not encrypted, but rather the attackers modified an installed WordPress plugin, which generated a simple HTML page to display a ransom note.
According to researchers, the ransom message had been generated by exploiting a vulnerability in a WordPress plugin named Directorist that was already installed on the affected sites.
The researchers also noticed that the malicious plugin would modify all the WordPress blog posts and set their 'post_status' to 'null,' making content in the database invisible.
Digging further, Sucuri found that the first point where the actor's IP address appeared was the wp-admin panel, meaning that the hackers had already established administrator access to the website before they began their attack.
At the time of writing, the campaign has hit 291 WordPress websites, according to a Google search result for the text included in the ransom note.