Business Websites Involved In CryptXXX Ransomware-Spreading Campaign

Legitimate business websites have been noticed redirecting users to Neutrino exploit kit. Cybercriminals attack business websites with the help of a susceptible version of the Revslider slideshow plugin for WordPress.

According to Security vendor Invincea, the SoakSoak botnet is constantly searching for websites with a vulnerable version installed. Once found, the botnet adds a script which redirects users to another website containing the infamous Neutrino exploit kit. Neutrino scans for debuggers and security tools and, if it does not find any, it drops the CryptXXX ransomware.

CryptXXX was behind the attacks of Microsoft Windows computers back in April, this year. The ransom it demands for a decryptor is 2.4 bitcoins or $2,154. Unfortunately, a solution for saving the files attacked by the latest version of the ransomware has not been found yet.

In December 2014, 100,000 websites were infected by Revslider plugin vulnerable version only for a day. Three months later, it compromised the New South Wales government GovDC website.

Invincea Security made a list of the global business websites which have recently been attacked by the SoakSoak ransomware-spreading campaign. The Australian Dunlop website was on the list either, but they refused to elaborate as they were still investigating the problem.

The firm advised administrators to keep an eye of their websites as the SoakSoak is constantly scanning and looking for vulnerabilities to exploit to Neutrino and right after that to CryptXXX.

Update: J├╝rgen Mertin, an Ardex IT supervisor, stated that once they had been notified of the vulnerability`s presence, it was removed in an hour. He said that not Invincea but iTnews was the one to warn them of the problem.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.