WordPress Websites Hit by Fake Ransomware

wordpress ransomware

Researchers working with Sucuri spotted an unusual and slightly funny malicious campaign. A number of WordPress pages have been hit with what only visually looks like ransomware.

The WordPress owner is met with an alarming page showing a blank, black screen with bold red text on it, informing them that their site has been encrypted. This fake message is accompanied by the most convincing element that is also found in legitimate ransomware very often - a timer ticking down.

Victims of this unusual attack that has very little to do with ransomware apart from the scary message are told to pay 0.1 Bitcoin or roughly the equivalent of just under $6,000 using today's exchange rate. The text says the bad actors expect the crypto payment on the given wallet "for restore".

Thankfully to anyone affected by this weird attack, this screen is more of a smokescreen intended to confuse and scare the victim into playing along.

Sucuri researched the attack after a WordPress site owner contacted them when they got the alarming message. The page displaying the counter turned out to be a simple HTML file. The research team called the code used in the HTML to generate the scary message "very simple". The countdown timer is not tied to any real ransomware either and is just a couple dozen lines of PHP code.

All it took for the security team to flush the site clean of the fake "infection" and restore it to working order was to remove a bad plugin that generated the scary but fake ransomware notice. However, as the plugin got removed, it executed an SQL command that went through the entirety of the WordPress site's articles and flagged any "published" ones as "null", causing 404 errors and missing articles.

This last parting gift from the weird malicious campaign was equally ineffective because it was reversible with a single line of SQL and all articles could be restored in a snap.

It seems threat actors are slowly figuring out that you don't need to code complex payloads, configure or set up actual ransomware infrastructure when a simple scare can be just as effective a lot of the time. Social engineering relies on fear and pressure and given the modest sum asked in the ransom note, it is hard to tell how many websites actually caved in and paid the 0.1 Bitcoin.

November 18, 2021