lolloj - Fotolia
A number of legitimate websites were hit by a botnet, which redirects visitors to a malicious site where the ransomware CryptXXX is downloaded. CryptXXX's exploit kit has the ability to evade security software and virtual machines. How did these legitimate websites get hijacked? What should be done to protect users' systems from being infected when visiting websites?
Having a web presence is critical to running a modern business. Many people may not be able to find a business without a web presence or they may go to a competitor with a better website. Unfortunately, it requires some resources to have a web presence and even more so for businesses that decide to self-host their websites. Many businesses will hire an IT contractor or web developer to set up their website and will use WordPress because it's relatively easy to post content with it. The downside is that running a self-hosted WordPress website requires maintaining the security of the system, including all the WordPress components.
Patrick Belcher, director of malware analysis at endpoint security software vendor Invincea wrote a blog about how many businesses using self-hosted WordPress websites have had them compromised by the SoakSoak botnet, which scans for WordPress systems with vulnerable plug-ins. The botnet scans for vulnerable plug-ins by checking known default URLs for the plug-ins. Once a vulnerable system is identified, it's compromised to redirect to a website hosting the Neutrino exploit kit that is then used to compromise vulnerable endpoints with the CryptXXX ransomware.
Enterprises can follow standard antimalware guidance for endpoint security and use network security controls to prevent the CryptXXX ransomware from being installed on their endpoints by drive-by downloads. Regardless of the other security controls used, backups of critical data are necessary.
WordPress has security guidance for users, including automatic updating that should be used when setting up and maintaining a self-hosted WordPress system. Users with limited IT resources should carefully evaluate how they host their WordPress site to ensure it is properly maintained, and to avoid creating an IT public health nuisance used to infect other people on the internet with CryptXXX. Using a hosted WordPress site may be slightly more expensive, but requires significantly less work to maintain.
Ask the Expert: Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Discover how network security can help prevent ransomware infections
Find out why healthcare data is at high risk for ransomware attack
Learn if Bitdefender's ransomware vaccine is effective
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Sophos researchers believe the SamSam ransomware campaign could be the work of one or a few threat actors using manual techniques. Learn how it works... Continue Reading
The hacking group Magecart was recently found to have run a card skimming campaign that put customer information at risk. Learn how this attack ... Continue Reading
A new version of GandCrab was discovered by researchers in July 2018 and involves the use of legacy systems. Learn how this version differs and who ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.