Over 300 WordPress sites were attacked with fake encryption notices, informing them they must pay 0.1 bitcoin to restore their sites. The attackers added a countdown timer to get their victims to panic and feel pressure to respond.
In a simple but effective move, the attackers installed a WordPress Plugin that displayed the ransom note and countdown timer. This plugin also cleverly modified any WordPress blog posts and set their ‘post_status’ to ‘null,’ which meant they appeared as unpublished, thus giving the illusion of an encrypted site!
The Sucuri security researchers who were brought in for incident response discovered the trick and looked for the origins of entry, which they found by the wp-admin panel.This means the attackers were able to enter as admins either having used brute force or accessing stolen credentials.
As this was not an isolated attack, it warrants a vigilant response from us all.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Sucuri researchers offer the following advice to secure your WordPress site:
- Review admin users on the site, remove any bogus accounts, and update/change all wp-admin passwords.
- Secure your wp-admin administrator page.
- Change other access point passwords (database, FTP, cPanel, etc).
- Place your website behind a firewall.
- Follow reliable backup practices that will make restoration easy in the case of a real encryption incident.
And finally, always be sure to update your software to the latest versions to avoid all ransomware, real or illusory.