Accompanying the ransom demands were countdown timers that were added to create more panic and further arm twist the owners into paying the ransom.
The deception behind these attacks was discovered by cybersecurity firm Sucuri who was hired by one of the victims to perform incident response on the supposed attack.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
As soon as they began their investigation, the researchers discovered that the websites’ pages had not been encrypted, and that the notice was fake.
The researchers said that the “attack” had all the hallmarks of a genuine ransomware campaign, as it seemed to suggest that the website had been encrypted. While the demand sum of 0.1 BTC was considerably less than what is demanded in typical ransomware attacks, it still comes to over $6000, which is still a considerable amount of money.
“Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look,” writes Sucuri, who had tackled ransomware attacks on websites earlier.
However, as soon as they looked inside the web server, they discovered that the files weren’t encrypted. Instead, the warning turned out to be a simple HTML page generated by a bogus WordPress plugin.
In addition to displaying the message and the timer, the plugin issued a simple SQL command to find any posts and pages that had the “publish” status, and changed it to “null,“ which would 404 all pages, and lend credibility to the fake attack.
The researchers however couldn’t determine if the attackers had brute forced the admin password, or had acquired the already-compromised login from the black market.