Ransomware is such a problem for organizations that bad actors are now falsely claiming to have successfully attacked a website. Those who fall for the lie will be swindled out of thousands of dollars worth of bitcoin.
But the false ransomware attacks are still tricky: They use a WordPress plugin to send the ransomware message, with an additional basic SQL command that might fool less savvy website owners into thinking their published content has vanished.
Here’s how it works and what to look for.
The Message
The scam was spotted by website security company Sucuri, which said in a recent blog post that it was contacted by multiple website owners who feared they were victims of ransomware. Their websites can been given this message:
Note the countdown clock — it’s intended to trigger a sense of urgency in the scam victim, making them less likely to assess the situation before taking action, and therefore more likely that they’ll believe what they’re seeing.
While bitcoin’s value can go up and down, it’s at about USD $6,000 right now, making this ransom too large for most small website owners, even if it’s nowhere near the typical ransom a larger company might be forced to pay for a real ransomware attack.
How to Stop It
The security experts who dealt with it quickly found out that nothing was actually encrypted. Instead, the message was the result of a bogus WordPress plugin that mostly existed to generate the simple HTML page with the message on it, complete with a little basic PHP to make the countdown clock tick down.
Once the security people visited the website’s wp-content/plugins directory, they were able to remove the plugin and fix the issue.
There was one problem, though: Thanks to a SQL command added to the end of the plugin’s code, all posts or pages with a “publish” status were updated to a “null” status — perhaps to trick less savvy website owners into thinking all their data had indeed been locked.
The change can be reversed with another SQL command, with the only downside being that all pages marked null will be published, even if they hadn’t been published previously. But all the content is still there.
How to Stay Safe
Want to avoid this particular trap? Here are the tips to follow.
- Review who has admin access
- Update all wp-admin or other access point passwords regularly — a quality password manager can help keep you logins in good order
- Get a firewall — after making sure it’s compatible with your current software, like VPNs
- Keep a recent backup of your site
It’s no surprise that scammers are jumping on the ransomware trend even when they don’t have the malware they need. It’s a common evolution in the world of scam artistry: Once your victims are starting to know what to expect, turn those expectations against them.
Now that you know to look for both ransomware and fake ransomware, you’ll be able to tell them apart fairly easily. Just don’t let that ticking clock get in your head first.