WordPress Sites Face Wave of Fake Ransomware Scams

Why bother with ransomware when you can just lie and say you did? Here's how website owners can spot the latest scam.
Adam Rowe

Ransomware is such a problem for organizations that bad actors are now falsely claiming to have successfully attacked a website. Those who fall for the lie will be swindled out of thousands of dollars worth of bitcoin.

But the false ransomware attacks are still tricky: They use a WordPress plugin to send the ransomware message, with an additional basic SQL command that might fool less savvy website owners into thinking their published content has vanished.

Here's how it works and what to look for.

The Message

The scam was spotted by website security company Sucuri, which said in a recent blog post that it was contacted by multiple website owners who feared they were victims of ransomware. Their websites can been given this message: 

site encrypted

Note the countdown clock — it's intended to trigger a sense of urgency in the scam victim, making them less likely to assess the situation before taking action, and therefore more likely that they'll believe what they're seeing.

While bitcoin's value can go up and down, it's at about USD $6,000 right now, making this ransom too large for most small website owners, even if it's nowhere near the typical ransom a larger company might be forced to pay for a real ransomware attack.

How to Stop It

The security experts who dealt with it quickly found out that nothing was actually encrypted. Instead, the message was the result of a bogus WordPress plugin that mostly existed to generate the simple HTML page with the message on it, complete with a little basic PHP to make the countdown clock tick down.

Once the security people visited the website's wp-content/plugins directory, they were able to remove the plugin and fix the issue.

There was one problem, though: Thanks to a SQL command added to the end of the plugin's code, all posts or pages with a “publish” status were updated to a “null” status — perhaps to trick less savvy website owners into thinking all their data had indeed been locked.

The change can be reversed with another SQL command, with the only downside being that all pages marked null will be published, even if they hadn't been published previously. But all the content is still there.

How to Stay Safe

Want to avoid this particular trap? Here are the tips to follow.

  • Review who has admin access
  • Update all wp-admin or other access point passwords regularly — a quality password manager can help keep you logins in good order
  • Get a firewall — after making sure it's compatible with your current software, like VPNs
  • Keep a recent backup of your site

It's no surprise that scammers are jumping on the ransomware trend even when they don't have the malware they need. It's a common evolution in the world of scam artistry: Once your victims are starting to know what to expect, turn those expectations against them.

Now that you know to look for both ransomware and fake ransomware, you'll be able to tell them apart fairly easily. Just don't let that ticking clock get in your head first.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at contact@tech.co

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He's also a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi coming out from Abrams Books in 2022. In the meantime, he's hunting own the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals