You know to avoid sketchy sites, and always double-check your URLs. You like to think that going to a legitimate business website is going to be pretty safe, malware-wise. But alas, even the most legitimate site is vulnerable to security flaws… and a whole wave of them have recently been hijacked to try to extort money from you.

As Ars Technica reports, dozens of legitimate websites worldwide — from the Guatemalan touristry board, to a firearms dealer, to home-builders, to a Mexican water utility — are all redirecting would-be users to a malicious website that attempts to install a type of ransomware.

One of the highest-profile targeted sites is massive international manufacturing conglomerate Dunlop, perhaps best-known in the U.S. for its sporting goods. (Maybe, uh, don’t go look up their website right this minute, though.)

The ransomware in question is called CryptXXX, and it works by encrypting all your files, then demanding payment to decrypt them — or else. If you don’t pay up roughly $500 or more (depending on the bitcoin exchange rate), you can say goodbye to anything that was on any connected drive. And yes, that includes network drives, if it’s a business computer that gets hit. And the malware in question is specifically designed to try a whole bunch of different ways to worm its way into your system and get what it wants.

The rash of compromised sites almost certainly comes from a botnet exploiting some vulnerability common to the tech underlying all those sites. Reachers at one security firm suspect the botnet may be the well-known SoakSoak, and that the shared vulnerability could be an outdated WordPress plugin.

It’s not the first time dozens or more sites have been hit at once, Ars points out; in 2014, Google had to blacklist 11,000 sites in a single day when a botnet compromised a particular WordPress plugin.

In the meantime, this particular attack is not likely to go away anytime soon. The botnet is in, and will continue to be in. Thousands of small, medium, and large sites run by thousands of small, medium, and large businesses are all over the web in different states of patching, vulnerability, and repair… and it’s almost certain that more will be targetable.

Wave of business websites hijacked to deliver crypto-ransomware [Ars Technica]