Malvertising campaign delivers digitally signed CryptoWall ransomware

The wave of attacks through malicious advertisements continues to hit visitors of popular websites

The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.

Several websites in the Alexa top 15,000 list were affected by this latest malvertising -- malicious advertising -- campaign including hindustantimes.com, the site of Indian daily newspaper Hindustan Times; Israeli sports news site one.co.il; and Web development community codingforums.com.

"In every case, malicious content arrived via the site's use of the Zedo ad network," the Barracuda researchers said in a blog post Sunday.

Zedo together with Google's DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and Last.fm websites among others. That attack campaign distributed a malware program called Zemot.

In a malvertising attack visitors' browsers are redirected by rogue ads to third-party pages that execute exploits for vulnerabilities in outdated browser plug-ins like Java, Flash Player, Adobe Reader or Silverlight.

"Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system," the Barracuda researchers said in their analysis of the new attack. "The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution."

CryptoWall is a particularly nasty ransomware program. Once installed on a system it encrypts files that match a long list of file extensions using strong public-key cryptography. It then asks victims to pay a ransom in Bitcoin in order to receive the key needed to recover their files.

There's currently no completely reliable method of recovering CryptoWall-encrypted files aside from paying the ransom or restoring them from backups that haven't been damaged during the infection. Security researchers advise against paying the ransom because this helps further the fraud and there's no guarantee of getting the key when dealing with cybercriminals.

A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.

The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.

The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.

In order to protect themselves against malvertising and drive-by download attacks in general users should keep the software installed on their computers up to date, especially the Web browsers and their plug-ins. They should also enable click-to-play for plug-in based content if the feature is available in their preferred browser.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityfraudmalwareencryptionExploits / vulnerabilitiesBarracuda NetworksZedo

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?