WordPress has recently published an alert indicating that websites have been under a ransomware warning of being encrypted. Fake red-on-black warnings have been plastered across hundreds of WordPress sites which have also shown signs of compromise.
Sucuri researchers discovered and analyzed the fake ransomware, during an on-site scan for a file containing the bitcoin address, they discovered that the ransomware alert was simply an HTML page that displayed the notice and a PHP script that handled the timer.
How it works
WordPress content management system (CMS) is a prime focus for anyone looking to compromise websites thanks to its popularity. WordPress is an open- source CMS, which means that its source code is available for anyone to examine, modify, and improve. As a result, there are a plethora of plugins available to add to websites that perform a wide range of functions, from preventing spammers to incorporating special smileys.
Unfortunately, not many of these plugins are safe, and some even have an illegal or unethical, malicious motive. In this case, it appears that files were added to the directory of the already installed plugin.
It was simple to remove the infection once it was discovered. All victims needed to do was locate and delete the file containing the bitcoin address. In this case, the file /wp-content/plugins/directorist/directorist-base.php was the culprit. Directorist is the name of a legitimate plugin that generates directories lists based on location, category, and other preferences.
The researchers discovered that the legitimate plugin was likely already installed on the website and was later tampered with by the attackers, through backtracking changes and reviewing access logs. While it was obvious that the attacker had administrator-level access, it is unclear whether they had brute forced the admin password or obtained the already compromised login from the black market.
Even though deleting the file removed the ransom notice, it also left the researchers with a slew of 404 Not Found responses to internal website links. As it turned out, their bogus ransomware included a simple SQL command that searches for posts and pages with the “publish” status and replaces them with “null.” All of the content was still in the database, but it couldn”t be viewed!
Website administrators can reverse this effect with a simple SQL command.
UPDATE `wp_posts` SET `post_status` = “publish” WHERE `post_status` = “null”;
Taking into consideration that this command will also restore some content that was removed by the user, but it will restore all content that the plugin made invisible.
The researchers discovered an indication of the existence of a file called azz encrypt.php in the directorist directory, but they were unable to locate the file on any of the infected websites they examined. As a result, this CMS hijacking could be a work in progress that eventually aims to perform actual encryption.
While there is no patch to address this vulnerability, it is recommended that developers establish a defence mechanism to counter this vulnerability by implementing the following:
Choose your plugin wisely
When it comes to access management, consider who will have access to
make changes to your website.
Maintain vigilance against SQL injection
When it comes to uploads, limit the type of files to non-executables and
monitor them closely.
Implement the usage of strong passwords along with 2FA.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Fake Ransomware Warnings Hits WordPress.pdf