Malvertising campaign delivers digitally signed CryptoWall ransomware

The wave of attacks through malicious advertisements continues to hit visitors of popular websites

The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.

Several websites in the Alexa top 15,000 list were affected by this latest malvertising -- malicious advertising -- campaign including hindustantimes.com, the site of Indian daily newspaper Hindustan Times; Israeli sports news site one.co.il; and Web development community codingforums.com.

"In every case, malicious content arrived via the site's use of the Zedo ad network," the Barracuda researchers said in a blog post Sunday.

Zedo together with Google's DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and Last.fm websites among others. That attack campaign distributed a malware program called Zemot.

In a malvertising attack visitors' browsers are redirected by rogue ads to third-party pages that execute exploits for vulnerabilities in outdated browser plug-ins like Java, Flash Player, Adobe Reader or Silverlight.

"Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system," the Barracuda researchers said in their analysis of the new attack. "The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution."

CryptoWall is a particularly nasty ransomware program. Once installed on a system it encrypts files that match a long list of file extensions using strong public-key cryptography. It then asks victims to pay a ransom in Bitcoin in order to receive the key needed to recover their files.

There's currently no completely reliable method of recovering CryptoWall-encrypted files aside from paying the ransom or restoring them from backups that haven't been damaged during the infection. Security researchers advise against paying the ransom because this helps further the fraud and there's no guarantee of getting the key when dealing with cybercriminals.

A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.

The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.

The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.

In order to protect themselves against malvertising and drive-by download attacks in general users should keep the software installed on their computers up to date, especially the Web browsers and their plug-ins. They should also enable click-to-play for plug-in based content if the feature is available in their preferred browser.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Barracuda NetworkssecurityZedoencryptionExploits / vulnerabilitiesmalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?