Malvertising campaign delivers digitally signed CryptoWall ransomware

The wave of attacks through malicious advertisements continues to hit visitors of popular websites

The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.

Several websites in the Alexa top 15,000 list were affected by this latest malvertising -- malicious advertising -- campaign including hindustantimes.com, the site of Indian daily newspaper Hindustan Times; Israeli sports news site one.co.il; and Web development community codingforums.com.

"In every case, malicious content arrived via the site's use of the Zedo ad network," the Barracuda researchers said in a blog post Sunday.

Zedo together with Google's DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and Last.fm websites among others. That attack campaign distributed a malware program called Zemot.

In a malvertising attack visitors' browsers are redirected by rogue ads to third-party pages that execute exploits for vulnerabilities in outdated browser plug-ins like Java, Flash Player, Adobe Reader or Silverlight.

"Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system," the Barracuda researchers said in their analysis of the new attack. "The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution."

CryptoWall is a particularly nasty ransomware program. Once installed on a system it encrypts files that match a long list of file extensions using strong public-key cryptography. It then asks victims to pay a ransom in Bitcoin in order to receive the key needed to recover their files.

There's currently no completely reliable method of recovering CryptoWall-encrypted files aside from paying the ransom or restoring them from backups that haven't been damaged during the infection. Security researchers advise against paying the ransom because this helps further the fraud and there's no guarantee of getting the key when dealing with cybercriminals.

A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.

The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.

The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.

In order to protect themselves against malvertising and drive-by download attacks in general users should keep the software installed on their computers up to date, especially the Web browsers and their plug-ins. They should also enable click-to-play for plug-in based content if the feature is available in their preferred browser.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags Barracuda NetworkssecurityZedoencryptionExploits / vulnerabilitiesmalwarefraud

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?