A great number of sites that are hosted on WordPress are now being infected with a ransomware that modern security software tools are unable to detect.
Security researchers at Heimdal found an extensive amount of these WordPress infections that cause the compromised sites to bring unsuspecting users to Internet domains that contain the Nuclear Exploit Kit. This kind of kit contains large volumes of exploits that can be used to compromise Flash, Reader, and Acrobat products from Adobe, as well as Microsoft tools such as Internet Explorer and Silverlight.
The Nuclear Exploit Kit has been sighted in recent memory, in which it had been used to drop ransomware on various computers.
Worse yet, there are other iterations of the Nuclear Exploit Kit that leave the more harmful Cryptowall ransonmware in compromised computers, the most recent of such incident having taken place in November of the previous year.
According to Heimdal security experts, the ransonmware campaign is being used to drop Teslacrypt in the target computers. Teslacrypt is a sort of crypto-ransomware that encrypts files contained in the local hard drive of a computer and asks the owners a ransom in the form of Bitcoin, for example, in exchange for the key to unlock the encrypted documents.
The Teslacrypt ransomware works in a subtle way, meaning it would be hard for the victims to notice an irregular activity going on within their computer system. But more to the point, Teslacrypt is a cause of major concern for individuals due to its substantial impact on the financial and security aspects of the victims.
Teslacrypt was updated in July of last year with a new scheme for encryption that imitates the features of the Cryptowall ransomware. The newest WordPress infections work to exploit an unknown flaw using an obfuscated JavaScript. When users visit a compromised site, they will be redirected to another domain dubbed chrenovuihren. Once in the domain, an online fraudulent ad asks users to go to a site that hosts the Nuclear Exploit Kit, unbeknownst to them.
The ransomware campaign leverages a number of domains in order to roll out the malicious code. These domains are, in fact, acting as subdomains of chrenovuihren. As of this writing, the security experts have been able to block nearly 90 domains.
It would help to update the content management system of WordPress in order to avoid falling prey to this kind of ransomware, according to the researchers. Better yet, implement a backup plan in order to guard against any kind of ransomware.
Nick Colakovic says
Updating WP regularly and having a backup plan are very important things to do in order to keep your site and data safe. Good tips!