The ransomware threat is far from over, even though security researchers are scoring small victories left and right. A new botnet, going by the name of SoakSoak, is pushing the Neutrino Exploit Kit. As a result, the number of attempts spreading CryptXXX ransomware is on the rise as well. Not positive news by any means, as WordPress websites are being targeted in this new attack.
A New Rise In CryptXXX Ransomware Distribution
Invincea released its findings in a report two days ago, detailing how the SoakSoak botnet is pushing CryptXXX ransomware distribution to new levels. Interestingly enough, this particular botnet has been in existence since 2014 and is best known for its worrisome ability to scan any website and detect potential vulnerabilities.
By compromising existing business websites, visitors of that platform are redirected to a new site which delivers the Neutrino Exploit Kit. Especially websites running the Revslider plugin – commonly found among WordPress sites these days – are susceptible to this attack. Users who are redirected to this fake landing page will download malicious software in the package, leading to the installation of CryptXXX ransomware.
Among infected websites are the Guatemalan official tourist website, as well as a Mexican water supply firm’s homepage. Even though the website owners will not notice anything out of the ordinary, security researchers discovered website traffic is redirected to a fake page. Even though not every visitor will be vulnerable to attack, computer users who do not update their system on a regular basis will be susceptible to CryptXXX.
Over the past two and a half years, the SoakSoak botnet operators have stepped up their game. Infecting WordPress websites is a worrisome trend to say the last. For the time being, the attacks seem to be directed at users who browse the Internet through Internet Explorer on the Windows operating system.
What this new method of attack does is allow assailants to exploit the Revslider WordPress plugin, and append scripts to redirect victims to exploit kit landing pages. Once a user clicks on the slideshow or video, they will be brought to a website where the Neutrino Exploit Kit is hosted.
It is not the first time ransomware distribution is taking place through the Neutrino Exploit Kit. CryptXXX is just the most popular version for now. In the past few months, TeslaCrypt and CryptoWall were distributed through a similar method. Updating the Revslider plugin is of the utmost importance to any WordPress website owner, as versions 4.1.5 and higher are no longer vulnerable.
Header image courtesy of Shutterstock