Endpoint

6/29/2015
03:40 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Clever CryptoWall Spreading Via New Attacks

Top ransomware doesn't waste time jumping on the latest Flash zero-day, and hops rides on click fraud campaigns, too.

The CryptoWall ransomware operators continue to innovate -- not only improving the payload itself, but also expandings its methods of proliferation.

For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit -- including CryptoWall.

As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.

The threat actors running the Rerdom and Rovnix Trojans had first dibs -- but through a chain of events that took only two hours, some victims were eventually infected with CryptoWall as well.

"The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats," said Damballa CTO Stephen Newman.

The ransomware also found its way into the Magnitude exploit kit. Over the weekend, French researcher Kafeine discovered that Magnitude had added exploits for the critical Flash zero-day vulnerability that Adobe released an emergency out-of-band patch for last week. (The vulnerability, CVE-2015-3113, was linked to Chinese advanced persisted threat group APT3, according to FireEye.) Kafeine also saw two samples that were installing Cryptowall against a Windows 7 machine running Internet Explorer 11.

These are just the latest in a variety of new infection vectors CryptoWall operators have begun using. CryptoWall added the ability to execute 64-bit code directly from a 32-bit dropper. It was found proliferating through spam with malicious .chm attachments. And it was dropping via the elusive HanJuan exploit kit as part of a malvertising campaign

Last week, the FBI stated that between ransoms and recovery costs, CryptoWall had cost Americans over $18 million between April 2014 and June 2015. The Bureau called CryptoWall "the most current and significant ransomware threat targeting U.S. individuals and businesses."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/2/2015 | 7:45:13 AM
Re: BACKUP!
Haha, thats a funny and interesting "parable". I am definitly going to be using that soon.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:44:14 PM
PDs
It's been really disheartening to see police departments/law enforcement agencies in particular give in to ransomware demands.

I'm not sure which is the more depressing aspect of this -- that the organizations that are supposed to protect us are powerless against these attackers, or that they failed to back up their data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:41:56 PM
Re: BACKUP!
Reminds me of a story...

Jesus and Satan get into an argument over who the better programmer is.  They decide to settle it with a 24-hour contest (with God as the judge).

They take their seats before their respective terminals, the contest begins, and they get to work -- furiously typing non-stop.

Finally, a couple of minutes before the contest is about to draw to a close, there is a power outage!  The computers go out, and all the lights go out.

The power comes back on almost immediately, and the contest ends.

God approaches Satan, asking him to show his work.

Satan complains, "The power outage took everything!  I lost it all!"

God then turns to Jesus.  Jesus types in a command at the prompt, presses Enter, and the screen bursts forth with a vivid, colorful display while the speakers pump out Handel's "Messiah."

Satan is agape as God declares Jesus the winner.

"But...how???!!!" says Satan in disbelief.  "I lost my entire program.  How did he do it?"

God looks over at the fallen angel and replies, "Jesus saves."
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2015 | 12:54:21 PM
BACKUP!
Can't state this enough. Always back up your important files to a remote location. I've seen this happen first hand and you can easily render ransomware ineffective if they do not have leverage over you. IE) The data they encrypted doesn't matter to you because you have a backup elsewhere.
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.