Slew of WP-based business sites compromised to lead to ransomware

If an approach works well, there is no reason to change tack, and the masters of the SoakSoak botnet are obviously of the same belief.

A year and a half after they have been spotted compromising WP-based websites through vulnerabilities in the Slider Revolution (“RevSlider”) plugin and redirecting visitors to the malware-laden SoakSoak.ru website, they are at it again.

“Websites are often compromised by botnets that scan websites for vulnerable software or application plugins,” Invincea’s Pat Belcher explains. “Once a botnet identifies a vulnerable server, it compromises it by adding redirection scripts so that visitors are sent to an alternate site hosting an exploit kit to deliver the ransomware to the unwitting victim.”

In this latest campaign, the compromised sites range from that of tires and sporting goods manufacturer Dunlop, to the official Guatemalan Tourism site and sites of firearms dealers.

“Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler or a Flash player debugging utility. If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server,” says Belcher.

Currently that ransomware is CryptXXX, which continues to be upgraded and modified.

To keep their sites and their visitors safe from this and other similar menaces, WP website admins are advised to regularly update their installations, themes and plugins.

“If you have old plugins or themes that are no longer in use, remove them from the system completely. Monitor your access logs and use your website’s firewall or .htaccess file to block addresses of automated scanners,” Belcher advises, noting that there are security related plugins that admins can use to prevent brute force password guessing and block automated scripted attacks.