WordPress sites get hacked by fake ransomware

Hackers have been carrying out systematic attacks on websites hosted on WordPress. Just last week, 300 of them began to display messages that had been encrypted, as reported by the Bleeping Computer on Tuesday (16).

The most curious thing, according to the website, is that there was no type of encryption, but a real notice of redemption request for restoration, of 0.1 Bitcoin.

Although the figure is low compared to what is set for high profile ransomware attacks, it still represents a significant impact for many hosting service website owners. And what’s most disturbing about these WordPress ransom calls is that they’re accompanied by a countdown timer, to evoke a sense of urgency that bewilders the web administrator.

Hired by one of the victims, Brazilian cybersecurity company Sucuri investigated the attacks and found that the websites were never actually encrypted. What the hackers did was a modification in a WordPress plugin that was already installed, so that the code started to display the ransom note.

How did hackers create a fake ransomware attack?

Source: Sucuri/ReproductionSource: Sucuri

The plugin modified by the WordPress site attackers not only displays a ransom note but also makes modifications to all blog posts, changing the ‘post_status’ to ‘null’, that is, changing their status to ‘unpublished’. At first, it’s as if the entire site had been encrypted, but as soon as the experts removed the plugin and ran a command to republish the posts, the site was back to normal.

After tracking around 291 infected websites, Sucuri identified the modified Directorist plugin as the source of the attacks. In an update made by Bleeping Computer, the site reports having received a tip about a recent fix of the aforementioned plugin, addressing a bug that allowed the execution of arbitrary code by low-privileged users, which seems to confirm the Sucuri report.