WordPress sites hacked in fake ransomware attacks

security threat
(Image credit: Shutterstock.com)

Security researchers have found that close to 300 WordPress websites have been defaced to display fake attack notices, in order to trick the site owners into paying 0.1 bitcoin (BTC) for restoration.

Accompanying the ransom demands were countdown timers that were added to create more panic and further arm twist the owners into paying the ransom.

The deception behind these attacks was discovered by cybersecurity firm Sucuri who was hired by one of the victims to perform incident response on the supposed attack.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> <a href="https://project.tolunastart.com/tqsruntime/main?surveyData=LFFFsT0HpgsyUe0tTFumBJohXK8Sedt0ARpsCF4DRGR+oCoVbvd+2+d8+UNIIx4L" data-link-merchant="project.tolunastart.com"" target="_blank">Click here to start the survey in a new window <<

As soon as they began their investigation, the researchers discovered that the websites’ pages had not been encrypted, and that the notice was fake.

Clever deception

The researchers said that the “attack” had all the hallmarks of a genuine ransomware campaign, as it seemed to suggest that the website had been encrypted. While the demand sum of 0.1 BTC was considerably less than what is demanded in typical ransomware attacks, it still comes to over $6000, which is still a considerable amount of money.

“Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look,” writes Sucuri, who had tackled ransomware attacks on websites earlier. 

However, as soon as they looked inside the web server, they discovered that the files weren’t encrypted. Instead, the warning turned out to be a simple HTML page generated by a bogus WordPress plugin.

In addition to displaying the message and the timer, the plugin issued a simple SQL command to find any posts and pages that had the “publish” status, and changed it to “null,“ which would 404 all pages, and lend credibility to the fake attack.

The researchers however couldn’t determine if the attackers had brute forced the admin password, or had acquired the already-compromised login from the black market.

Want to build a website? Use one of these best WordPress hosting providers and build them with the help of these best WordPress website builders

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.