TeslaCrypt Ransomware Aggressively Spreads Through Compromised WordPress Sites

Ransomware has been one of the most aggressive types of malware threats we have encountered over the past year. With each new ransomware threat, the reach of cybercrooks effectively collecting ransom fees increases exponentially. As it turns out, cybercrooks spreading new encryption type ransomware threats are initiating campaigns of compromised WordPress sites to spread a variant of the TelsaCrypt Ransomware infection.

Researchers at Heimdal Security have discovered instances where a campaign that was known to push the Neutrino Exploit Kit, effectively spreading the Backdoor.Andromeda malware, is being levered to compromised WordPress sites for the purpose of spreading TeslaCrypt Ransomware. We have had first-hand experience with TeslaCrypt Ransomware, and it has been ousted as a threat with a low detection rate essentially allowing it to spread must faster than other similar threats.

The abundance of domains already used to spread TeslaCrypt has recently increased in the past weeks. Of those domains used to spread the TeslaCrypt Ransomware, ones that are verified as being compromised WordPress sites, Heimdal Security has blocked at least 85 of them so far.

We already reported how TeslaCrypt Ransomware was being spread through outdated WordPress sites through the Neutrino Exploit Kit. Now, the same campaign is continuing with updated and extremely aggressive attack methods.

WordPress sites have commonly been an attack platform for hackers and cybercrooks. The WordPress software, one of the most utilized content management platforms for web development, is an open source type that may be easily exploited by nifty hackers. It is no surprises to us that we see yet another instance of WordPress sites being compromised for the purpose of spreading malware, which in this case is an aggressive form that we know to be the TeslaCrypt Ransomware threat.

As we known with TeslaCrypt Ransomware, it is one of the many recent threats that encrypt files on an infected computer and later gives the computer user a method to decrypt the files. The only catch is that in order to decrypt the files, which will restore an infected system with encrypted files back to normal operation, the computer user will need to pay a fee for the decryption key. Usually, the price for decryption costs upwards of $500 to over $1000, which earns the cybercrooks behind TeslaCrypt a nice pay day.

Digging into the technical details of the updated attack in compromising WordPress sites, it has been discovered that when attackers compromise the sites, the malware is programmed to inject JavaScript files that have malicious code. Within the code, there are instructions for sites hosted on the same server to all be compromised with the malware.

Researchers first could find specific traits that allowed the campaign to spread only to serve annoying pop-up advertisements. Eventually, the malware evolved into a much more serious threat by redirecting users to an exploit kit.

Through hidden redirects, the malware spreading ransomware is starting to evolve and spread the threats onto computers administered by unsuspecting computer users. This is in the case of computer users utilizing an ad blocker, and the automatic hidden redirects may take place without the computer user noticing and installing the malware threat.