Skip to content ↓ | Skip to navigation ↓

Ransomware is on the rise. According to the McAfee Labs Threat Report: May 2015, this threat saw a 165% increase in the first quarter of 2015 alone. In response, security researchers have periodically released removal kits designed to help victims of crypto-ransomware variants recover their encrypted files.

However, given the diversification of ransomware, including their incorporation of popular television shows as luring mechanisms and their increased focus on mobile platforms, the advantage currently rests with those who write and promulgate these malicious programs.

One of the latest ransomware attacks detected by security researchers at Heimdal Security leverages outdated content management systems (CMS) and/or outdated plugins to redirect user traffic to domains that serve up the Neutrino exploit kit and drop Teslacrypt ransomware.


For context, out of the approximately one billion websites that exist in the world today, 58.7 percent of them run some version of the web management platform WordPress. Additional research indicates that over one-fifth of those WordPress installations run an outdated version, which means that more than 100 million websites are vulnerable to CMS-based attacks that leverage either outdated CMS or outdated plugins/inadequately configured security settings.

“From the CMS to plugins, something tends to slip through the cracks and isn’t noticed until it’s too late,” Chris Boyd, senior malware intelligence analyst at Malwarebytes told “Additional wrinkles are caused by small silos being responsible for their own little slice of digital real estate and not communicating with others. As a result, WordPress may be up to date, but an old, vulnerable plugin may be lying in wait to cause havoc.”

wordpress versions research
Source: Heimdal Security

WordPress is not the only CMS platform available to organizations, either, meaning that even more websites are vulnerable to this particular method of attack.

Attack Methodology

In a post published on its blog, Heimdal Security explains that a malicious script injected into a vulnerable website references a halfway house on thedancingbutterfly [.] Com. This location then redirects traffic to nkzppqzzzumhoap [.] Ml, a domain which has a very low detection rate of 4/63 on VirusTotal and which is found on a Netherlands-based server known for delivering the Neutrino exploit kit.

At this point in time, Neutrino exploits writing condition vulnerabilities in Internet Explorer and Adobe Flash Player in an attempt to drop Teslacrypt, a form of ransomware that made news earlier this year when it demonstrates its ability to encrypt files associated with popular video games including Call of Duty and Dragon Age.

Teslacrypt in this scenario adds Recovery_File_ [any text] .txt to every file that it encrypts, injects itself into “iexplore.exe” and “cmd.exe”, and picks up an infostealer that is part of the Pony family.

teslacrypt ransomware
A screenshot of Teslacrypt’s ransom page (Source:


Website administrators and sysadmins who use a CMS can protect themselves against the Neutrino-Teslacrypt attack described above by installing and patching updates to their systems as soon as they become available.

Morten Kjaersgaard, CEO of Heimdal Security, could not agree more with this assessment.

“When it comes to ransomware, you can never be too prepared, either as a website owner or a usual user making your way around the web,” explains Kjaersgaard. “The best ways users can stay safe from these infected WordPress sites is to keep their software up-to-date and use a good web filtering software on the endpoint, which can block the infected sites that are targeting to deliver exploits to your computer. This naturally requires a common effort to educate users and spread the message about the importance of security on their computers.”

To learn more about ransomware, including tips on how you can protect your computer from becoming infected, please click here.

Title image courtesy of ShutterStock