WordPress: Sites hacked via plugin, shows fake ransomware claim (Nov. 2021)

[German]Currently, some operators of WordPress sites are caught on the wrong foot. The affected WordPress instances show a warning that the site is encrypted. A ransom of 0.1 Bitcoin is demanded for decryption. However, the WordPress instance is not encrypted, but the message is displayed via a compromised plugin.


Benjamin Martin reported last Friday (11/15/2021) that they found a number of websites that spoof a ransomware infection and demand a ransom of 0.1 bitcoin to decrypt it.

Fake Ransomware message on WordPress sites

Google returns a number of hits (currently over 400) when searching for "FOR RESTORE SEND 0.1 BITCOIN" . I once accessed some designated websites and got  the above message.



(create file on site /unlock.txt with transaction key inside)

The demand amounts to approximately $6,000 to decrypt the website. At the same time, a timer is supposedly running on the page. This might make some website owners' hearts drop. But at this point, panic is not advisable and the demand should not be followed. One affected person had commissioned the security provider Sucuri to clean up his WordPress installation. When the specialists took a look, they discovered that the WordPress instance was not encrypted.


During the analysis, the researchers found that the file structure for the specified BitCoin account points to the above php file. However, this is a file of the WordPress plugin directorist. So, someone is trying to trick WordPress site owners via a vulnerability in the plugin in question.


The cleanup of this infection in this case was to remove the mentioned plugin from the wp-content/plugins directory. Problem was, however, that afterwards all pages and posts returned a 404 Not Found response. The malicious function had scanned the WordPress database for all posts and pages and set their publishing status to "zero". But this can be solved with the SQL command:

UPDATE `wp_posts` SET `post_status` = 'publish' WHERE `post_status` = 'null';

undo. The only thing you have to check is whether there were any posts whose post status was changed manually by the author. It is unclear whether the attack is still "in development", where the encryption module did not yet work. Those who were affected are considered to have gotten off lightly. More details can be found at Sucuri's blog

The direcorist plugin was updated to version 2 days ago, so that the above vulnerability can no longer be exploited. At this point, however, the note that WordPress administrators should limit the number of plugins and keep them up to date. And it is recommended to regularly backup the WordPress installation and database to quickly restore the old state in case of infection.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *