But the false ransomware attacks are still tricky: They use a WordPress plugin to send the ransomware message, with an additional basic SQL command that might fool less savvy website owners into thinking their published content has vanished. Here’s how it works and what to look for.
The Message
The scam was spotted by website security company Sucuri, which said in a recent blog post that it was contacted by multiple website owners who feared they were victims of ransomware. Their websites can been given this message: While bitcoin’s value can go up and down, it’s at about USD $6,000 right now, making this ransom too large for most small website owners, even if it’s nowhere near the typical ransom a larger company might be forced to pay for a real ransomware attack.
How to Stop It
The security experts who dealt with it quickly found out that nothing was actually encrypted. Instead, the message was the result of a bogus WordPress plugin that mostly existed to generate the simple HTML page with the message on it, complete with a little basic PHP to make the countdown clock tick down. Once the security people visited the website’s wp-content/plugins directory, they were able to remove the plugin and fix the issue. There was one problem, though: Thanks to a SQL command added to the end of the plugin’s code, all posts or pages with a “publish” status were updated to a “null” status — perhaps to trick less savvy website owners into thinking all their data had indeed been locked. The change can be reversed with another SQL command, with the only downside being that all pages marked null will be published, even if they hadn’t been published previously. But all the content is still there.
How to Stay Safe
Want to avoid this particular trap? Here are the tips to follow.
Review who has admin accessUpdate all wp-admin or other access point passwords regularly — a quality password manager can help keep you logins in good orderGet a firewall — after making sure it’s compatible with your current software, like VPNsKeep a recent backup of your site
It’s no surprise that scammers are jumping on the ransomware trend even when they don’t have the malware they need. It’s a common evolution in the world of scam artistry: Once your victims are starting to know what to expect, turn those expectations against them. Now that you know to look for both ransomware and fake ransomware, you’ll be able to tell them apart fairly easily. Just don’t let that ticking clock get in your head first.
