Beware Crypto Ransomware

Last week one of our staff opened a zip attachment that squirmed it’s way through the mail filters. Boom – queue a host of fileservers with files infected by cryptoware – it encrypts your files and renames them to the extension .locky – you can pay to have them unlocked! Nice – luckily I found the offending machines, re-imaged them and deleted all files and restored from backup. Problem solved – well apart from blocking zip attachments (probably something I should have done ages ago!)

Here’s so more info, found on Neowin.net

We already know that ransomware has become a growing threat to users around the world. Last week, Mac users saw their first such attack on Apple’s operating system. By encrypting a user’s local files and holding them ransom for payment in the hundreds of dollars, the perpetrators have become increasingly sophisticated in their methods to extract money. The software is so difficult to deal with that the FBI advises people and businesses to just pay up to unlock their files.

Now, according to Trend Micro, the past 24 hours have seen a rash of new crypto-ransomware spreading through popular websites. The attack, dubbed Angler Exploit Kit, is taking advantage of vulnerabilities in Adobe Flash and Microsoft Silverlight, among others, to feed the malware through compromised ad networks.

Malwarebytes is reporting that the “malvertising” is hitting the BBC, MSN, nfl.com, The New York Times, my.xfinity.com and many others in the form of clickable banners. The anti-malware company provided lots of detail around the exploit, reporting a number of suspicious domains through which the ads are apparently served. Google’s ad network carried trackmytraffic[.]biz, while the AOL, Rubicon and AppNexus ad networks carried talk915[.]pw as well. Other suspicious domains include brentsmedia[.]com, evangmedia[.]com and shangjiamedia[.]com.

According to a blog post by SpiderLabs at Trustwave, as reported by Ars Technica, the team inspected a JSON-based file and wrote the following:

If the code doesn’t find any of these programs, it continues with the flow and appends an iframe to the body of the html that leads to Angler EK [exploit kit] landing page. Upon successful exploitation, Angler infects the poor victim with both the Bedep trojan and the TeslaCrypt ransomware–double the trouble. Google’s ad network was compromised in this attack, according to MalwareBytes. Last year, Google reported to have made progress in filtering ad injectors and malicious sources across the ad networks it manages. However, it would appear that the ad network still has work to do.

Credit John Devon – neowin.net



Leave a Reply