WordPress is a great platform for building dynamic websites. But like any popular content management system, it’s a big target for attack.
A few days ago, security researchers first started to notice that WordPress websites were being targeted for a specific kind of attack that turned otherwise normal sites into spreaders of TeslaCrypt — a powerful piece of malware that can devastate businesses and public sector organizations by taking control of their data.
Here’s how this attack works:
- The attacker gains entry to your WordPress site.
- They infect some of your files so that — when users visit your site — their browser unknowingly pulls in code from the attacker’s server. (That’s a bit of a simplification — if you’re interested in the actual mechanics of it, you can read this overview on ThreatPost)
- The malicious code then attempts to execute something called the Nuclear Exploit Kit, a sort of Swiss Army Knife of different attack types that attackers can try in order to gain control over your computer.
- If an attacker succeeds in getting their payload onto your computer, it will begin encrypting your files. It generates a key — known only to the attacker — which enables you to decrypt your files. You will then be prompted to pay the attackers in exchange for the key. Don’t pay, and you lose all of your data. Forever.
It’s currently not known how many WordPress sites are affected. Generally, sites running older versions of the platform are the most vulnerable to attack. Old, poorly-maintained plugins are also a usual culprit.
Below, we’ve answered some major questions that our clients and others are likely to have about this attack, and its ongoing implications for WordPress security. We have also outlined some strategies that you and your nonprofit can take — right now — to reduce the likelihood and impact of attacks.
Am I Affected?
None of our clients have been affected by this attack as of the time of this writing. We are stepping up security measures and monitoring our clients’ sites to ensure that they stay uninfected. In addition, we are increasing the frequency of our backups.
If your site is not maintained by Glaance, you should immediately scan your site using VirusTotal, which runs tests from multiple providers. Only a handful of them are currently detecting this exploit at the moment. If you are infected, you should immediately take your site offline and consult a security professional regarding your next steps. If you are currently uninfected, do the following:
- Patch WordPress to the latest version (4.4.2 as of the time of this writing).
- Disable all out-of-date and unnecessary plugins.
- Consider forcing WordPress to use SSL. This is a multi-step process that will probably involve some changes to the code of your site. You will also either need to purchase and deploy an SSL certificate (recommended) or use CloudFlare’s free one-click SSL. A skilled consultant or developer can help you with this step.
- Download and install a security plugin from Sucuri or Wordfence, which will scan the individual files that make up your website to ensure that they are clean. Consider purchasing a premium subscription to either of these services, which will provide you with additional monitoring and protection.
- Change your admin and user passwords to something long and random. If you don’t want to write down or remember something that difficult, use a password manager like Lastpass to store it.
- Enable two-factor authentication in your security plugin. You’ll need a mobile phone and a text message plan for this step. Here is a comprehensive explanation of what two-factor authentication is and why it’s important.
In addition, you should make frequent backups of your WordPress site. Duplicator by InTheGrid is a great plugin that lets you back up, copy, and clone WordPress sites. If you use Duplicator or another backup plugin, we recommend saving the *.zip files that it generates and organizing them by date. That way, you will always be able to patch and restore your site from a clean copy, even if you lose a few posts or comments.
How Did This Happen?
At the moment, it isn’t entirely clear how the attackers gained access to the sites. So far, Sucuri has found that the infected sites they have analyzed had multiple backdoors. The attackers are also updating their code frequently, leading to re-infections after people thought their sites had been cleaned up.
What is Ransomware?
Ransomware is a type of malware that effectively holds your computer hostage until you perform a specified action. Some of the worst varieties of ransomware encrypt the files on a user’s computer and demand payment — usually in Bitcoin — to decrypt them.
If this happens and you don’t have your data backed up, you have two basic options: pay the ransom, or don’t pay it.
Paying the Ransom: Your first instinct would probably be to pay the ransom. After all, your computer contains valuable documents, photos, and business data that you need to access. The problem with paying the ransom, however, is that you’re giving the people behind it a financial incentive to continue infecting other computers. Plus, there is that there’s no guarantee your data will ever be decrypted. The old adage still holds true: there is no honor among thieves.
Don’t Pay the Ransom: If you choose not to pay, you still have a few things you can try. Resources like Kaspersky Labs’ decryption tool and Bleeping Computer’s TeslaDecoder may work with older varieties of ransomware. Unfortunately, the new version of TeslaCrypt (the primary type of ransomware being deployed through this attack) employs more sophisticated means to keep your data locked up tight.
Ransomware attacks indiscriminately. Individuals, businesses, government agencies, and nonprofits have all been affected. The ransom demanded is low enough (< $1,000) that the attackers can count on many people deciding to pay, rather than lose all of their data.
With most ransomware attacks, the goal is simply to get payment — attackers don’t generally care about the data one way or another. But if your organization is vulnerable to ransomware, it is also wide open to other sorts of attacks that seek to steal the data itself. Consider what you store on your nonprofit’s computers: things like client records, protected health information, social security numbers, and donor information are all valuable in the right hands.
How Can I Protect My Organization from Ransomware?
Malware usually comes into an organization in one of two ways: either someone directly visits an infected website on a vulnerable computer, or they open a suspicious e-mail attachment. The most important step you can take is to educate everyone in your organization about good web safety practices. Beyond this:
- Using an e-mail service with a spam filter and antivirus scanning — like Google for Nonprofits or Office 365 Nonprofit — reduces the chances that someone will accidentally infect your network.
- You should also make sure that your computers are secured using a well-maintained, paid antivirus solution. There are many options out there, and everyone seems to have their favorite (and a strong opinion). We have had good experiences with Kaspersky Labs products.
- Make sure that all of your computers are running up-to-date operating systems, and that all of the software you are running — including web browsers and plugins — are patched to the latest versions. Through nonprofit IT vendor TechSoup, you can upgrade your computers to Windows 10 for a nominal fee. Block employees and volunteers from installing new programs and plugins on their own.
- Invest in a good software and / or hardware firewall for your networked computers. A firewall is a program or physical device that places a barrier between your computers and the rest of the web, allowing you to filter the traffic that comes through.
- Regularly back up your most important data to an external hard drive that is not connected to a computer on your network 24/7. Also, consider backing up your data to cloud storage, either through Google Drive or by using an enterprise backup service.
- Make sure everyone in your organization uses complex passwords, and never share passwords between users. If a volunteer or an intern needs access to a computer, create an account for them — don’t give them your credentials!
- Instruct all employees and volunteers to never give passwords or account names out — via phone, e-mail, or in-person — to anyone. The largest and most damaging data breaches always seem to come from social engineering attacks, like this leak of 20,000 FBI agents’ names and phone numbers two days ago.
All of these suggestions are general good practices that protect you against all sorts of potential attacks, not just ransomware.
If you do not have a dedicated IT person who is up-to-date on the latest security trends, you should consider hiring one, outsourcing your IT to a reliable vendor, or working with a consultant to set up a system that makes sense for your organization.
Where to Go From Here
Securing your site — and your organization’s computers — can be daunting if you don’t know what you’re doing. Thankfully, there are plenty of products, services, and organizations that can help you. Glaance can help your organization build a comprehensive security strategy.
We can’t guarantee that your systems will never be compromised — no one can — but by putting in place the right hardware, software, and training, we can help you eliminate many holes in your armor.
Contact us today for personalized advice on how to protect your nonprofit from attack.
We are tremendously grateful to Heimdal Security and Sucuri for their continued work on researching these exploits, and we recommend that our clients and readers also subscribe to their newsletters and blog feeds for up-to-date news on this and many other web security topics.