WordPress sites hacked in fake ransomware attacks

How the attackers got the login credentials for the WordPress websites is still a mystery

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Security researchers have found that close to 300WordPresswebsites have been defaced to display fake attack notices, in order to trick the site owners into paying 0.1bitcoin (BTC)for restoration.

Accompanying the ransom demands were countdown timers that were added to create more panic and furtherarmtwist the owners into paying the ransom.

The deception behind these attacks was discovered bycybersecurityfirm Sucuri who was hired by one of the victims to perform incident response on the supposed attack.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

As soon as they began their investigation, the researchers discovered that the websites’ pages had not been encrypted, and that the notice was fake.

Clever deception

Clever deception

The researchers said that the “attack” had all the hallmarks of a genuineransomwarecampaign, as it seemed to suggest that the website had been encrypted. While the demand sum of 0.1 BTC was considerably less than what is demanded in typical ransomware attacks, it still comes to over $6000, which is still a considerable amount of money.

“Before panicking and paying the ransom (or completely re-building their website from scratch) thankfully some website owners hired us to take a look,”writesSucuri, who had tackled ransomware attacks on websites earlier.

However, as soon as they looked inside the web server, they discovered that the files weren’t encrypted. Instead, the warning turned out to be a simple HTML page generated by a bogusWordPress plugin.

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In addition to displaying the message and the timer, the plugin issued a simpleSQLcommand to find any posts and pages that had the “publish” status, and changed it to “null,“ which would 404 all pages, and lend credibility to the fake attack.

The researchers however couldn’t determine if the attackers had brute forced the admin password, or had acquired the already-compromised login from the black market.

Want to build a website? Use one of thesebest WordPress hosting providersand build them with the help of thesebest WordPress website builders

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics

This new phishing strategy utilizes GitHub comments to distribute malware

Smeg Combi Steam Oven review: a multi-functional countertop oven that looks stunning and cooks well