Attackers are targeting business websites through a vulnerable version of the Revslider slideshow plugin for Wordpress to spread the CryptXXX ransomware.
Security vendor Invincea warned that the SoakSoak botnet, active since 2014, is currently scanning for websites running a vulnerable version of Revslider.
Once a vulnerable installation is found, SoakSoak adds a redirection script to another website that contains the popular Neutrino exploit kit. Neutrino looks for security tools and debuggers on the target system, and if none are found, it drops the CryptXXX ransomware.
CryptXXX appeared in April this year and attacks Microsoft Windows computers. Files scrambled by the latest version of the ransomware cannot yet be decrypted. The ransom is set at 2.4 bitcoin, or A$2154, to obtain a decryptor from the extortionists.
Invincea listed a number of websites it discovered had been compromised, including that for Australian building supplies and adhesives business Dunlop.
Dunlop parent Ardex Australia said it was "currently investigating" the weakness and declined to elaborate.
A vulnerable version of the RevSlider plugin for Wordpress was behind the March 2015 compromise of the New South Wales government GovDC website. In December 2014, over 100,000 sites with the Revslider plugin were compromised in a single day.
Invincea has collated a list of global business sites currently compromised by the SoakSoak ransomware-spreading campaign.
The firm warned that botnets are constantly scanning webservers around the world, looking for vulnerable plugins, themes or outdated content management systems, to exploit for redirections to exploit kits.
It advised admins to monitor their sites, keep them fully patched and to remove any themes and plugins are not in use.
Update: Ardex IT supervisor Jürgen Mertin said the vulnerability was removed within an hour after the company was advised of the vulnerability by iTnews. He said the company had not been notified of the issue by Invincea.
