Over 2,000 WordPress- and Joomla-Based Sites Infected with CryptXXX Ransomware

At least 2,000 sites built on WordPress and Joomla! content management systems have been infected with CryptXXX ransomware, following a mass infection campaign in the past two weeks, web security firm Sucuri revealed.

The campaign has been growing the last two days and hit at least 2,000 sites based on our limited telemetry data from the SiteCheck scanner, said Daniel Cid, Founder & CTO. We assume the real number of hacked sites is at least 5x bigger, since we are limited to sites that used our scanner. The first indicator of a site affected by this campaign can be traced to Jun 9th, which is when we think the campaign first started.

The hackers exploited plugin vulnerabilities, their campaign infecting at least 100 sites daily. Once the sites were infected, the users were redirected to a site hosting the Neutrino Exploit Kit which infected their device with CryptXXX ransomware by exploiting the browser through either Flash or PDF reader vulnerabilities.

The attacker is likely targeting common vulnerabilities across either platform, and the updated instances are likely residual effects of being in the same environment. Note however, that the vulnerability being used is likely not in the core, but in the extensible components like plugins and extensions, Cid added.

The campaign has been named “Realstatistics” because the domains used were realstatistics[.]info and realstatistics[.]pro.

As of July 3, Google has been detecting and blacklisting sites containing the malicious code.