WordPress websites targeted with fakeout ransomware plugin
What’s worse than a ransomware threat? A fake one. I harp on how serious ransomware threats are all the time, ad nauseum. Because of this, anyone is on high alert if confronted by something as serious as a ransomware gang. Due to that deadly reputation, however, some are taking notice and using ransomware’s rep to dupe victims.
WordPress-based websites observed a spike in attack attempts, whereby threat actors claimed they encrypted and locked out targeted domains. It’s a clever scheme, as WordPress is a popular free tool for website development (even we at Bytagig use it). Thus, a widespread attack and demand for crypto payment appear like a quick payday. After all, owners of WordPress websites may not have the same knowledge and cybersecurity resources to protect themselves.
So, naturally, seeing your web domain “locked” by a bleak message claiming you’ve been encrypted is intimidating, to say the least. Many use WordPress domains for blogs, media, and online selling, so understandably having their way of life interrupted is a stressful experience.
Fool me once
The reality is, the abrupt surge in WordPress “attacks” were false flags. The warning is red text against a black background indicating the user(s) has a limited time to pay a bitcoin ransom. An artificial countdown is included for an extra intimidation factor. Naturally, inexperienced users might rush to make a snap decision, something ransomware and threat actors rely on. For instance, imagine times where you have received an alert or email indicating a virus (or similar). Naturally, you want to address the problem as soon as possible. But it’s that reaction which, unfortunately, can work against us.
This is also particularly nefarious because ransomware – outside of fake threats – is indeed time-sensitive. Companies afflicted by ransomware or downtime work as quickly as possible to remedy the issue. But if a threat is fraudulent, you are paying what you don’t need to.
How the false alert occurs
WordPress is widely used not only for accessibility, but because of its range of plugins. Plugins and widgets grand WordPress websites different functions and services. But, each plugin is different. Not all are made equal, some are no longer updated, and others do not maintain the same security standards. Hackers took note of this and exploited weaker plugins to create their false flag message.
The good news is after discovery, the compromised plugin is easily removable. The infected file contained a bitcoin address, seen here: /wp-content/plugins/directorist/directorist-base.php. Once discovered, it can be deleted. If you use “Directorist,” double-check for the mentioned address.
Fixing and restoring after address deletion
We covered how the attack occurs, why, and the potential dangers it brings. But while easy to remove, it creates temporary complications and may disrupt normal website navigation. That’s because pages with the address change the publish status to “null.”
To change this command, website admins can use this SQL order (thanks to MalwareBytes for the fix):
UPDATE `wp_posts` SET `post_status` = ‘publish’ WHERE `post_status` = ‘null’;
What it means for the future
Philosophically, it could signal a rise in fakeout attacks. Again, ransomware carries a big reputation. Everyone wants to be secure and take no chances. On top of having to worry about ransomware though, do we have to confront fraudulent threats too? Possibly. The real victims are those using open content platforms like WordPress and other free resources.
If you want to stay safe, there are a few security tips.
- Familiarize yourself with SQL injection attacks. While scary sounding, these are incredibly elementary and very easy to deal with.
- Double-check all your current WordPress plugins. Those that have not updated (or no longer update) should be removed.
- Remember to implement two-factor/MFA methods.
- Always backup your content.