A thread actor has hacked at nearly 300 WordPress websites to display fake encryption notices, trying to trick the site owners into paying 0.1 bitcoin for restoration.

At this time of writing 0.1 bitcoin worth nearly $6,069.23.

The warning indicated that the website was hit with a ransomware attack. The files were reported to be encrypted and the attackers demanded a ransom payment of 0.1 Bitcoin.

Sucuri researchers began an investigation into the website and it turned out that nothing was encrypted at all! Normally when ransomware attacks website files the extension is changed to .lock or something similar, and the files have been rendered as unreadable, encrypted rubbish. Not so in this example!

The ransom warning was completely bogus. Nothing was encrypted at all! It was a simple HTML page generated by this bogus plugin and nothing more.

A hacker has also generated some basic PHP to generate the countdown clock:

Buy Me A Coffee

To remove this infection, all we have to do was remove the plugin from the wp-content/plugins directory. However, once we got the main website page back all of their pages and posts were leading to 404 Not Found responses.

The reason for this is the last snippet of the malicious plugin:

Here we see a basic SQL command which finds any posts and pages with the “publish” status and changes them to “null“. All the content was still in the database, just unable to be viewed! This can be reversed with an equally simple SQL command:

UPDATE `wp_posts` SET `post_status` = 'publish' WHERE `post_status` = 'null';

This will publish any content in the database marked as null. If you have other content marked as such, it will re-publish that, but that is certainly better than losing all your website posts and pages.

Chinese Hackers Stole Emails from US State Department in Microsoft Breach, Senate Staffer Alleges

How to Protect your Site

Once the plugin is removed and the nulled content in the database restored then tying up the loose ends is pretty straightforward!

  • Review admin users on the site, remove any bogus accounts and update/change all wp-admin passwords
  • Secure your wp-admin administrator page
  • Change other access point passwords (database, FTP, cPanel, etc)
  • Ideally, place your website behind a firewall
  • Don’t forget about reliable backups! Even if hackers manage to encrypt your whole site, it will be easy to restore it from the latest backup.

If you are a website owner and are affected by this attack Sucuri remediation analysts can help remove the infection for you!