Cybersecurity firm Sucuri revealed that nearly 300 WordPress sites were hacked last week with a fake encryption message to entice site owners to pay a fee of 0.1 Bitcoin (~$6,069.23) for restoring their website.
In explaining what happened, the researchers found that the websites were not encrypted instead, threat actors modified an installed WordPress plugin to display a ransom note and a countdown.
The plugin used by the attackers also modified all WordPress blog entries and set their ‘post_status’ to ‘null’ thereby ensuring that they go into an unpublished state.
To return the page to its normal state, the plugin must be removed while executing a command to republish the posts and pages.
Giving further details, Sucuri said the attack was not an isolated attack but a detailed plan as part of a wider campaign.
The security firm explained that the first point where the actor’s IP address appeared was the wp-admin panel, showing that they had either logged in as admins through brute force or stolen credentials from the dark web.