A fresh wave of attacks began recently, resulting in almost 300 WordPress sites being hacked.

The sites in question were manipulated by malicious actors to display false encryption notices in the hope of trying to fool the site owners into making a payment of 0.1 bitcoin to restore their platform to normal operations.

A cleverly constructed scheme

The recent ransom demands also included a ticking countdown timer. Creating a sense of urgency and panic is a commonly used technique by cybercriminals to force victims to take rash actions. In the case of this recent campaign, the hackers hoped to trick web administrators into believing the site they managed was encrypted and paying the requested ransom.

Although the 0.1 bitcoin ransom demand (equivalent to a little over £4,000) is not especially substantial in comparison to sums requested in high-profile and headline-grabbing ransomware attacks, it is still a considerable amount for many website owners.

The attacks were uncovered by cybersecurity experts at California-based firm Sucuri. One of the victims hit by the hack hired the company and requested that it performed an incident response.

Securi’s researchers found that the websites involved had not, in fact, been encrypted. They identified that the threat operators behind the campaign had modified a WordPress plugin already installed so that it displayed a countdown timer and ransom note.

Additionally, the hacker’s modification of the plugin altered blog posts made in WordPress. It effectively changed the status of posts to “null”, forcing unpublished status on them. This reinforced the illusion that the websites had indeed been encrypted, in an attempt to encourage a ransom payment.

Attack mitigation

The security researchers identified that by removing the modified plugin and running a fresh command that ordered pages and posts to be republished, the website was able to return to normal functionality.

After further study of the network’s traffic logs, the team discovered that the WordPress admin panel was the first point where the threat operator’s IP address appeared.

This meant that the threat actors logged in as administrators on the WordPress site, either using brute-force tactics to gain passwords or by seeking out stolen credentials from underground cybercriminal markets on the dark web.

However, this attack was not an isolated event but rather appears to be one part of a wider campaign. The plugin observed by Sucuri, was identified as Directorist, a tool used for building directory listings for online business on websites.

Sucuri has now tracked around 291 sites impacted by the campaign. In all of the attacks, the same Bitcoin address was used for ransom payment requests (3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc) but to date it has received no payments.

To avoid hacks on WordPress websites, companies are advised to review all admin users and remove any fake accounts, and then change and update their wp-admin passwords. The wp-admin page must be secured, and all access points protected, such as the FTP, databases and the cPanel. Websites should be placed behind a firewall, systems and data should be backed up, and plugins must always be running the current version.