Report: Ransomware and Malvertising

The biggest cyber-threats in the last three months have been from ransomware and malvertising. The bill for the recent ransomware attack on the Hollywood Presbyterian Medical Center in California was $17 000 which was paid after three weeks of negotiations. This was less than the sum the ransomers originally demanded ($3.5m). The Los Angeles County Health Department and two German hospitals have also been targeted recently.

Ransomware has also developed a new dimension of attack by targeting websites. Hundreds of WordPress ‘sites became compromised by what is thought to be a variant of CBT Locker. This hack is thought to have been carried out via a vulnerability known as shellshock which allows remote code execution on servers that run certain Linux, Unix and Mac distributions. Once infected, the same ransome demand as for private users is displayed.

Ransomware for Macs: KeRanger ransomware infected the popular Bittorrent client, Transmission 2.90 on 4th and 5th March. It has been called ‘the first AppleMac ransomware’, though the JavaScripted Ransom32 already in circulation has the capability to infect Mac O/S (and Linux). KeRanger bypassed the Apple Gatekeeper security feature by using a developer ID and downloaded from the developer’s ‘site. The infection was noticed within 24 hours, the developer ID was revoked, and the client replaced with a newer version, 2.92.

Malvertizing has been injecting malicious adverts into websites. This wouldn’t be unusual, though the websites infiltrated are. When visiting a ‘site like Newsweek or the New York Times, a user wouldn’t normally pause to weigh the threat risk – though these are among dozens of well-known domains that suddenly started serving mal-ads on the 13th March (others included: BBS, MSN and AOL). Thousands of visitors are thought to have been infected after being redirected to ‘sites containing the Angler EK (which searches for any system/browser vulnerability), and if found vulnerable, were then injected with a bad dose of TeslaCrypt ransomware.

Hackers are obviously hijacking established ad-nets with high ratings to widen their own customer base. And by hand-picking the ‘sites they compromise on the basis of the established visitors, they can better target wealthier, and perhaps more vulnerable social groups. Exploit Kit attacks are usually associated with shady or questionable websites where the visitor could expect to risk trouble; that respectable advertising networks have started to be subverted is a new attack vector in the malware campaign. It is also an indication that the two disciplines of malware are being combined to increase and widen operations this year.

2 thoughts on “Report: Ransomware and Malvertising”

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.