Hackers use ransomware and it is growing rapidly and getting more sophisticated. At the very least you should be aware of what it is, because it can affect WordPress installs that get hacked and redirect visitors to malicious sites.
In fact in 2014 a study conducted by Heimdal Security found the most common vulnerable software to be:
- Oracle Java Runtime environment
- Adobe Acrobat Reader
- Adobe Flash Player / Plugin
- Apple Quicktime
Hacked WordPress sites host the redirect code that exploit visitors with older versions of web software such as Internet Explorer and Microsoft Silverlight as well as the above list. The software is available through the dark web and is called the Nuclear exploit kit. Of the malware out there, this is one of the worst to be infected with.
The Nuclear exploit kit first appeared in 2009. Exploit kits target software vulnerabilities and are the tool of choice for hackers to extract personal details which are used for online fraud and identity theft.
By exploiting programs like Adobe Flash Player, Nuclear can deliver malicious code directly to Operating Systems such as Windows. Their evolvement over the past few years means that exploit kits are not just able to establish data exfiltration malware but also ransomware.
WordPress sites are first hacked with code that redirects visitors to sites that display advertising, usually for hosting. The advertising contains more code to lure visitors to the Nuclear Exploit Kit where they will be infected with Teslacrypt – a program that encrypts files so they can’t be used until a ransom is paid for a decryption key and hence the term ‘Ransomware’.
For example, the domain chrenovuihren used advertisements that forced traffic to servers hosting the Nuclear exploit kit. And just as fast as Google blacklists known fraud sites, do new Nuclear gateways popup again.
Heimdal Security identified several IP addresses as Nuclear gateways. The criminal campaign relies on a number of domains to spread the malware, which are all sub domains of the chrenovuihren.
According to trendmicro.com more than 90% of computers infected by the Nuclear exploit are in Japan with the US rated second at just 3%.
The fascinating thing is that the way in which WordPress sites are infected is not know. It’s thought to be by exploiting weak passwords or badly coded plugins, either way it opens multiple backdoors on the server.
This is particularly concerning to shared hosting whereby if one WordPress install becomes infected then it will contaminate all the others. So what can you realistically do to protect against ransomware?
The front-line strategy is to keep up to date with software updates. As they always remind us, updates take account of the very latest threats and therefore offer the best protection from exploit programs.
Consider using an extra layer of protection, multi factor authentication known as 2-Factor Authentication (2FA or TFA). It’s that extra piece of information we sometimes call the ‘memorable password’ you know; mother’s maiden name, first pet’s name etc.
Using a username and password together with a memorable key makes it harder for hackers. Using 2FA strengthens the WordPress login against hackers. In February 2011 Google introduced 2FA for their online users which was later followed by MSN and Yahoo.
You can apply 2FA to a WordPress install by using a plugin, one of the most popular is WordFence. Find out more about WordPress 2FA here.
Applying stronger passwords is another tool but unlikely to be practical if operating websites under shared hosting. What you can do is inform clients and advise them to strengthen passwords and to employ a good anti-spyware solution to remove phishing or exploits focused on malicious emails.
Ensure you have an adequate backup policy and facility. Many old hands have learned the hard way and watched years of hard work disappear down the Swanny. It used to be done in the event your hard disk crashed, these days it’s a critical part of your business survival strategy. Ask yourself seriously what you would do if the websites you manage vanished overnight.
Let that answer be a priority in your plan going forward.