Recently, security experts have noticed several types of ransomware. Among these is CryptXXX as well as a new malware strain, named Cryptobit, being pushed through the same shady series of domains.
The spam campaign, which is called Realstatistics, has tainted thousands of websites built on both Joomla! and WordPress content management systems. During the past few days, the experts, together with security company Sucuri, observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected websites.
In a recent post to the company’s blog, Sucuri CTO and founder Daniel Cid said that the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
According to Cid, a division of his company that helps identify and remove website infections, has been monitoring the campaign for two weeks and they’ve observed at least 2,000 websites affected by the campaign. He also said that the number of hacked sites may be upwards to five times that, given the team is only looking at sites that use the company’s scanner.
Currently, there is no detailed information on how the hackers have been able to infiltrate both content management systems to spread the code. The security company Sucuri, which performed a fingerprint of the affected sites, claims that 60% are running either out of date Joomla! or WordPress builds, and 90% are running a CMS they were able to fingerprint, suggesting a common vulnerability, perhaps one already patched in an outdated plugin or extension used by sites, unites the two of them.
Last week, the researcher Brad Duncan penned a blog for Palo Alto Networks, claiming that he’d seen the same Realstatistics domain inject script into the page of a compromised website, spread the Rig Exploit Kit, and infect users with Cryptobit ransomware.
Identically to every strain of ransomware, Cryptobit urges victims to contact the cybercriminals in order to restore their files. However, the ransom note, that appears on victims’ desktops, doesn’t specify how much, or what denomination, to pay in order to get their files back.
The first Cryptobit infections were noticed in April, this year. At that time the ransomware was using both AES and RSA to encrypt files, something that makes it more difficult to decrypt the data.
Hackers were pushing Cryptobit hard for more than a week. According to Duncan, there were eight different samples of the ransomware variant pop up over the course of 10 days. However, the campaign shifted to distributing other malware at the end of last month.
Duncan said that he’s seen Gootkit, banking malware that steals credentials from infected machines, spreading via Neutrino from the campaign. Before Cryptobit, it was the ransomware Cerber, Duncan added, acknowledging that the campaign occasionally switches up which malware it distributes.
The creators of CryptXXX have kept busy adapting their ransomware in the face of rapidly changing detection signatures. While generating exploit kit traffic last week, Duncan noticed a Neutrino infection, triggered by a pseudoDarkleech campaign. When observing the ransomware, he found that the hackers had tweaked both – the ransom note and Tor payment website it uses.