A new series of ransomware attacks have hijacked about 300 WordPress sites to portray false encryption warnings, which is used to fool site owners into paying a ransom of 0.1 BTC for restoration and retrieval.
The threat actors’ ransom demands include a countdown timer to create panic and a sense of urgency for the targeted WordPress site owners to pay them. Although 0.1 bitcoin is visually tiny compared to other ransom demands against high-tier companies, it is still a considerable amount since 0.1 bitcoin is worth approximately $6,000.
A cybersecurity team discovered these faulty ransomware attacks after they were contacted by one of the unfortunate victims. They also found out that the websites have no signs of being encrypted. Still, the threat actors modified a downloaded WordPress plugin to reveal a ransom note accompanied by a countdown on when the owner should pay for their demands.
In addition to portraying a ransom notification, the plugin would recode all the WordPress blog posts and set their ‘post_status’ code into ‘null’, causing them to turn into an unpublished state that created an illusion of being encrypted.
Owners can retrieve their site by deleting the plugin and operating a command to republish the blog posts and published pages. Upon extensive research of the network traffic logs, the cybersecurity identified that the first destination where the malicious threat actor’s IP address showed was the wp-admin panel.
Due to this panel translates that the hackers logged in as one of the admins on the site. The hackers may have impersonated an admin’s credentials via brute-forcing password or by collecting stolen credentials from the dark web markets. Moreover, this attack was not isolated; but instead, it may be a part of something bigger.
The researcher also found that the plugin used to fake the ransomware attack is from ‘Directorist’. It is a tool to build online business directory listings on websites. Security experts has not found all the affected sites, but they have tracked about 300 websites affected by these fake ransomware attacks. In addition, Google search reveals a mix of repaired sites and sites under the faulty ransomware attack.
