27 Comments on "WordPress-Delivered Ransomware and Hacked Linux Distributions"

27 Comments on "WordPress-Delivered Ransomware and Hacked Linux Distributions"

willc February 23, 2016 at 9:44 am • Reply

I
think you need to change the title of this article to
"WordPress-delivered" instead of "WordPress Delivered." I read the
subject in my email that you just sent and thought you were saying that
WordPress delivered malware and hacked ISOs.

Mike February 23, 2016 at 10:16 am • Reply

Ditto!
I panicked - thinking that the trusted Wordpress Foundation was
directly delivering Wordpress.org distributions that were laced with
ransomware back-doors.


D:


Good to know. Thank you.

mark February 23, 2016 at 10:26 am • Reply

Dangit,
I replied to Will as soon as he posted but ended up replying on a
different blog post. Thanks Will, I made the change immediately when you
posted your comment. We're not in the habit of posting click-baity
titles, so hope it's clearer now.

Geves February 23, 2016 at 9:51 am • Reply

Thank you for sharing such interesting wordpress security updates.

Jeffrey Frankel February 23, 2016 at 9:53 am • Reply

What
puzzles me about a ransomware attack is when you pay the money it must
go to someone, a company, a person. Why can't the police find these
people?

The Roach February 23, 2016 at 10:51 am • Reply

Bitcoins
are the closest financial transactions can get to being anonymous right
now - and if you could discover the culprit, chances are, he's located
in a country that doesn't extradite for computer hacking.

Elsie Gilmore February 23, 2016 at 11:13 am • Reply

So,
couldn't one just delete all their files through FTP, delete the
database and create the site again from scratch? I don't understand how
this works. What am I missing? Is this only a problem if you don't make
regular backups?

cfc February 23, 2016 at 11:38 am • Reply

Yes,
that is correct. This can affect personal and business computers, not
just websites, and unfortunately many people don't make regular backups.

Damien February 23, 2016 at 11:47 am • Reply

The
encryption is of files on you computer, like photos and documents.
Fixing your web site may prevent the site from being used to infect
others but does not unencrypt the files on the computer.

cfc February 23, 2016 at 11:37 am • Reply

Based
on the screenshot and what I've read elsewhere, payment is required in
Bitcoin, which has no direct connection to anyone's real world identity,
and associated communications are via Tor, which runs over multiple
encrypted proxies, preventing a network trace. Finding the culprits is
not impossible, but is pretty close unless you have NSA-level resources.


Even if you did manage to track them down, the hackers who commit
these types of crimes can be located anywhere in the world – and if
they're smart, they target victims in other countries. If you live in,
say, Miami, and you go to your local police with a ransomware attack,
even if you got lucky and somehow tracked down the culprit, when they
see it's coming out of China or Uzbekistan or something, there's just
not going to be much they can do for you.

mark February 23, 2016 at 12:20 pm • Reply

We have an excellent resource that explains Tor in the learning center: https://www.wordfence.com/learn/the-tor-network-faq/


Bitcoin can be anonymous. Bitcoin has a kind of public ledger in the
blockchain that gives you public knowledge of all transactions and
transaction history. All transactions can be traced to a wallet, but if
you can't tie the wallet to an identity, you can't figure out who the
individual is. Any individual can create as many wallets as they'd like -
some recommend creating a new wallet for each transaction.

Clay Johnson February 23, 2016 at 12:22 pm • Reply

The
Police in the Ukraine, China, or Brazil (the biggest Hacker countries)
are useless for resolving complaints. In many cases the hackers either
work with or are protected by the authorities.

Neville Gosling February 23, 2016 at 10:16 am • Reply

Surely the Hollywood Presbyterian Medical Center had back-ups that they could have reinstalled?

preschem February 23, 2016 at 4:04 pm • Reply

Good
point. We were hit with ransomware last year, but not via Wordpress. We
were hiring staff and I inadvertently opened a macro enabled word doc
titles resume and BOOM! It started to encrypt the main SBS in addition
to my machine. I powered down the server and my machine and restored
from the previous evening's backup. My machine was a wipe the hdd and
start again scenario, but we lost half a days trading data across the
business group.


Moral of this story is back up and back up often even if it's only
incremental. And then make sure you have multiple copies of backups
offsite and regularly check that you can restore something from a file.
If something like this happens, take a copy of the most recent backup
out of circulation until your sure that your out of danger. Like a
month. It saved my bacon as I had to restore a few bits and pieces over
the following week that was missed.


Portable hdd are cheap and having multiple offsite backups which are
rotated gives you a near foolproof disaster recovery. Oh and run in a VM
environment. These days if you are running a business server for small
to medium businesses and you're not doing so as a VM, you're completely
insane. Site burns down, you take the backup of the entire server
environment to a datacentre, mount it on another hyperisor. Back in
business within a day or two at worst.

Kevin Brown February 23, 2016 at 6:35 pm • Reply

Neville,

I am in total agreement with you, someone should lose their jobs over this.


I have no less than three backups of every data I own, and websites
included. Both securely cloud stored and physically on my premise in an
extremely secure SAN. The entire annual cost is <$150.

Maximillian Heth February 23, 2016 at 10:39 am • Reply

Wow,
now that is friggin' scary! =S If there was ever a top reason to secure
your site as much as possible, this is definitely a story worth
sharing! Thanks guys! =)

Samuel Guebo February 23, 2016 at 10:44 am • Reply

Those
ransomwares can really be a hard thing to deal with. I faced TeslaCrypt
1 month ago. One of my client got infected by this ransomeware. The
process was tricky but I made my way out and wrote an article on how I
did it. Here is the link [Editor: To the utility he used to clean his
site. I'm assuming you're not the author. Thanks for the info Samuel.]: https://github.com/googulator/teslacrack

mark February 23, 2016 at 10:58 am • Reply

Looks
like this tool may be effective at cracking teslacrypt. More on the
Norton forums about it including several replies from the author: http://community.norton.com/en/forums/how-decrypt-teslacrypt-vvv-files


More press on this utility here (Credit for the utility is
incorrectly attributed to a vendor. It's developed by an independent
developer.): http://www.myce.com/news/indian-security-researchers-crack-encryption-of-teslacrypt-ransomware-victims-get-files-back-for-free-78399/


If you have been hit by TeslaCrypt, this may be a solution until the
malware is updated to fix the flaw TeslaCrack is exploiting.

Michael Gillespie February 23, 2016 at 11:25 am • Reply

TeslaCrypt
has MANY variants. The older variants indeed can be decrypted using
TeslaCrack by Googulator or TeslaDecoder by BloodDolly. These include
the ones that leave files with the extensions .ecc, .exx, .ezz, .abc,
.aaa, .xyz, .zzz, .ccc, and .vvv. However, the newest variants have
corrected the flaw, and it is no longer decryptable. The newest
TeslaCrypt 3.0 uses the extensions .xxx, .ttt, .micro, and .mp3.


[Editor: Removed marketing links]

Darrel "Root" Carpenter February 23, 2016 at 11:04 am • Reply

Thanks Mark for the information.


Jeffery Frankel, Bitcoin is quite difficult trace. Bitcoin was built
to be anonymous but sometimes it can be tracked if the user makes a
mistake somewhere in their process. Additionally, most police
departments haven't got a clue but since this is Los Angeles bothe the
LAPD and LA County Sheriff's department are big enough to have "Cyber"
divisions so you can be sure one of them are working on this case.


Neville Gosling,

You would be amazed how many large, corporate and government offices
DON'T have a backup plan or routine. I am stunned to see just how many
BIG companies don't have a plan and their only recourse to the
CryptoLocker, RansomWare type attacks, is simply to pay up. Otherwise
you simply format, reload your OS and move on and suffer the loss of
data and hope it's just not that bad.


Good Luck to everyone!


-Root-

Lisa February 23, 2016 at 11:37 am • Reply

I am not questioning this scenario, but sometimes I do wonder if it's just easy to blame WordPress.


That aside, will people ever learn that backups are often the most important function they can perform to help themselves?


Off my soapbox.

dave February 23, 2016 at 11:47 am • Reply

Again
thanks for a great insight but in addition to good security you should
also have a good backup routine in place which in turn could get rid of
the problem easily. As long as you can work out how your site got
infected in the first place

But I think this post high lights something much more important and that
is the duty of care that we as site owners have towards our visitors in
ensureing their visits to us are safe.

John Norton February 23, 2016 at 11:54 am • Reply

Here's
a story about a school district in South Carolina (Myrtle Beach) that's
paying the ransom. Here's one of the stories:
http://www.myrtlebeachonline.com/news/local/education/article61869482.html

A February 23, 2016 at 1:48 pm • Reply

I
have both WordPress security and wordfence installed, I keep my plugins
up to date and yet, my website gets compromised on average every 2
weeks... Maybe I'd be better without any plugins..

Mehmet HAKAN February 23, 2016 at 2:24 pm • Reply

I think the responsibility of linux or server is hosting providers. We have to trust them. Am I right?

Dave February 23, 2016 at 11:14 pm • Reply

Yes
you are right, the linux operating system, apache and any other
software that's crucial to server doing it's job is our responsibility,
however, the software and scripts, eg wordpress, plugins and themes that
you put on the server are your responsibility. It works both ways my
friend.

David February 23, 2016 at 4:22 pm • Reply

I
watched once as a folder in my DropBox suddenly got attacked by
ransomware. I was getting a ton of notifications on my screen that
something was happening and fortunately it was a folder that I rarely
used, but it was accessed by some people who must have had low security
systems. It was kind of creepy to watch files get converted to some file
format I never heard of. I was able to delete that folder immediately
from DropBox and that ended the threat. I did get to see their ransom
message. Sheesh.

WordPress-Delivered Ransomware and Hacked Linux Distributions - Wordfence