Multiple websites relying on WordPress publishing platforms have fallen victim to a rather cleverly crafted ransomware attack. Operators launching the attack are manipulating key settings to scare Site Admins into paying 0.1 Bitcoin as ransom to get control and functionality back.
WordPress Admins maintaining blogs and articles are increasingly becoming victims to new ransomware attacks. Strangely, the attackers aren’t truly encrypting the WordPress backend but displaying deceptive yet convincing ransom notes.
Ransomware gangs using WordPress Admin logins and backend settings to scare Administrators and Site Managers:
An as-yet-unknown group of ransomware creators has been targeting hundreds of WordPress sites. According to some reports, attackers have successfully compromised close to 300 websites that depend on the WordPress blogging and publishing backend.
The compromised website displays a typical ransom note. The rest of the website’s content is not visible, and neither are the other navigation options.
— Adam Levin (@Adam_K_Levin) November 16, 2021
The ransom page comes with a countdown timer, usually set to a week’s time. Needless to mention, the timer clearly attempts to instill a sense of urgency and panic in the mind of the web admin.
The goal of the ransom note is simple. It claims the website and all its content is encrypted, and demands a ransom, in Bitcoin. However, the situation isn’t as straightforward as it seems.
Ransomware gangs demanding just 1 Bitcoin to “decrypt” a compromised WordPress website:
The corporate world is witnessing an exponential rise in ransomware attacks. Some of the high-profile victims, and news about them, have earned operators of the malware a lot of notoriety.
Usually, ransomware gangs demand multiple Bitcoins or millions of dollars. However, the gangs attacking WordPress websites are demanding just 0.1 Bitcoin or about $6100.
Hundreds of WordPress sites were defaced over the weekend in fake ransomware attacks
-Nobody has paid so far
-Ransom note is a defacement, as there's no encryption on the affected sites at all, and typically just one page is impacted, not the whole sitehttps://t.co/io8vJYGy84 pic.twitter.com/jr3EquzuvL
— Catalin Cimpanu (@campuscodi) November 16, 2021
As it turns out, the attackers aren’t truly encrypting the contents of the WordPress websites. Instead, they are installing a modified plugin to display a ransom note and countdown timer.
To further convince the Web Admins, the plugin modifies all the WordPress blog posts and sets their ‘post_status’ to ‘null’. This causes all the articles to enter an “unpublished” state.
Web Admins can get complete control of the compromised website by removing the plugin, and running a command to republish the posts and pages.
— TugaTech (@TugaTech) November 16, 2021
What’s concerning is that the attackers manage to install the plugin using a legitimate account. It is concerning how easily and quickly the gangs manage to gain access to a legitimate Web Admin account and compromise the website’s security.
Hence, Web Admins must review their account credentials, secure the wp-admin administrator page, change passwords, and take other precautions.