Nearly 300 WordPress sites have been hacked in a fresh round of attacks that began late last week, displaying phony encryption alerts in an attempt to trick site owners into paying 0.1 bitcoin for recovery. These ransom requests include a countdown timer, intended to create a feeling of urgency and potentially fear among web administrators, prompting them to pay the ransom.
Sucuri, a cybersecurity firm engaged by one of the victims to provide incident response, identified the cyberattacks. According to the researchers, the websites had not been encrypted, but the threat actors had updated an installed WordPress plugin to show a ransom message and countdown.
In addition to displaying a ransom letter, the plugin would change the ‘post_status’ of all WordPress blog articles to ‘null,’ thus making them unpublished. As a result, the actors produced a simple but effective deception, giving the impression that the site had been encrypted. After deleting the plugin and running a script to republish the posts and pages, the website was restored to its previous state.
Sucuri investigated the network traffic records and discovered that the actor’s IP address initially showed in the wp-admin panel. It indicates that the intruders gained access to the site as administrators, either by brute-forcing the password or obtaining stolen credentials from dark web markets.
This was not a one-off attack, rather looks to be part of a more significant effort, giving the second scenario greater credence. Sucuri discovered a plugin called Directorist, a tool for creating online company directory listings on websites.
Sucuri has identified roughly 291 websites that have been impacted by the assault, with a Google search revealing a mix of sites that have been cleaned up and those that still have ransom notes. They use the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has yet to receive any ransom payments.