Website operators running sites on the WordPress platform need to be aware of a massive string of infections that as of Thursday were poorly detected by security products.
Researchers at Heimdal Security said the compromised sites redirect victims to other domains hosting the Nuclear Exploit Kit, a potent collection of exploits for vulnerable Adobe products (Flash, Reader, Acrobat), Internet Explorer and Microsoft Silverlight, that has in the past, and in this case, been dropping ransomware on infected computers.
Other versions of Nuclear EK have been dropping the dangerous Cryptowall ransonmware, as recently as late November. This campaign, Heimdal researchers said, infects computers with Teslacrypt.
Teslacrypt, like other versions of crypto-ransomware, encrypts files stored on the local hard drive and demands a ransom in exchange the encryption key. Researchers at FireEye estimated that the ransomware made more than $76,000 in a three-month span early last year, a paltry sum compared to the millions hauled in by Cryptolocker and other ransomware families. FireEye researched some of the early Teslacrypt victims, many of whom had no idea what happened to their machines and were concerned about their job security and financial well-being as a consequence of the infections. In July, a new version of Teslacrypt came with a fresh encryption scheme and other feature that mimicked Cryptowall.
162[.]243[.]77 [.] 214.
“The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use,” Heimdal researchers wrote in a blog post. The malicious domains are subdomains of the chrenovuihren domain, Heimdal said, adding that it has already blocked more than 85 domains. Two of 66 security products on VirusTotal detect the threat as of last night.
Heimdal’s findings come less than a week after security company Sucuri announced it had uncovered a similarly large campaign. Heimdal said in its report that it believes the same group is behind both attacks, but cannot confirm that fact.
In the meantime, Heimdal researchers urge WordPress operators to update the content management system as soon as possible—an update was released this week—and back up their file systems regularly. Regular backups to multiple locations are the best defense against ransomware, along with updated detections for known ransomware.