Fake Ransomware Encryption Alert Targets WordPress Websites

Published on November 17, 2021
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Ransomware actors can apparently extort victims without even actually infecting the targeted devices, as researchers recently discovered. A fake encryption alert was displayed on almost 300 WordPress-hosted websites, showing a countdown timer to urge the victims into paying the ransom in Bitcoin in order to "regain" access.

The actors resorted to not even deploying malware in order to fill their virtual wallet, and the amount asked is significant considering the bogus alert. In general, ransomware actors go for endpoints in order to cripple businesses and don't bother with websites since most admins have backups at the ready.

source: Sucuri

The alarming announcement claimed the website was encrypted due to a ransomware attack and the actors asked 0,1 BTC ($6,000) to restore things to the way they were before. However, the Sucuri research team discovered that the message and the timer were just plugins displaying an HTML page and basic PHP, respectively, on an otherwise not infected website.

source: Sucuri

The researchers removed the faulty plugins to recover the main website page, but all the other pages and posts led to 404 Not Found. This was because the last part of the malicious plugin had an SQL command which changed posts and pages with "publish" status to "null" so that the attackers could still have a chance at fooling the victim if they tried removing the plugin themselves.

In the specific case presented by the researchers, a foreign IP address was interacting with the "directorist" plugin using the wp-admin plugin editor feature, suggesting the attackers tampered with a legitimate plugin that was already installed on the website.

Moreover, the first request seen from the actors' IP address was from the wp-admin panel. This means they had already established administrator access to the website before displaying the panic message. However, it's unknown whether they used brute forcing to obtain the admin password using another IP address or they already had it from the black market.

Ransomware groups sometimes like to play with their prey, so this fake encryption alert is not surprising. A new ransomware called Spook that emerged in September and targeted major US manufacturing industries is one such example since the actors decided to expose all victims, even the paying ones.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: