Endpoint

6/29/2015
03:40 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Clever CryptoWall Spreading Via New Attacks

Top ransomware doesn't waste time jumping on the latest Flash zero-day, and hops rides on click fraud campaigns, too.

The CryptoWall ransomware operators continue to innovate -- not only improving the payload itself, but also expandings its methods of proliferation.

For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit -- including CryptoWall.

As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.

The threat actors running the Rerdom and Rovnix Trojans had first dibs -- but through a chain of events that took only two hours, some victims were eventually infected with CryptoWall as well.

"The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats," said Damballa CTO Stephen Newman.

The ransomware also found its way into the Magnitude exploit kit. Over the weekend, French researcher Kafeine discovered that Magnitude had added exploits for the critical Flash zero-day vulnerability that Adobe released an emergency out-of-band patch for last week. (The vulnerability, CVE-2015-3113, was linked to Chinese advanced persisted threat group APT3, according to FireEye.) Kafeine also saw two samples that were installing Cryptowall against a Windows 7 machine running Internet Explorer 11.

These are just the latest in a variety of new infection vectors CryptoWall operators have begun using. CryptoWall added the ability to execute 64-bit code directly from a 32-bit dropper. It was found proliferating through spam with malicious .chm attachments. And it was dropping via the elusive HanJuan exploit kit as part of a malvertising campaign

Last week, the FBI stated that between ransoms and recovery costs, CryptoWall had cost Americans over $18 million between April 2014 and June 2015. The Bureau called CryptoWall "the most current and significant ransomware threat targeting U.S. individuals and businesses."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/2/2015 | 7:45:13 AM
Re: BACKUP!
Haha, thats a funny and interesting "parable". I am definitly going to be using that soon.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:44:14 PM
PDs
It's been really disheartening to see police departments/law enforcement agencies in particular give in to ransomware demands.

I'm not sure which is the more depressing aspect of this -- that the organizations that are supposed to protect us are powerless against these attackers, or that they failed to back up their data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:41:56 PM
Re: BACKUP!
Reminds me of a story...

Jesus and Satan get into an argument over who the better programmer is.  They decide to settle it with a 24-hour contest (with God as the judge).

They take their seats before their respective terminals, the contest begins, and they get to work -- furiously typing non-stop.

Finally, a couple of minutes before the contest is about to draw to a close, there is a power outage!  The computers go out, and all the lights go out.

The power comes back on almost immediately, and the contest ends.

God approaches Satan, asking him to show his work.

Satan complains, "The power outage took everything!  I lost it all!"

God then turns to Jesus.  Jesus types in a command at the prompt, presses Enter, and the screen bursts forth with a vivid, colorful display while the speakers pump out Handel's "Messiah."

Satan is agape as God declares Jesus the winner.

"But...how???!!!" says Satan in disbelief.  "I lost my entire program.  How did he do it?"

God looks over at the fallen angel and replies, "Jesus saves."
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2015 | 12:54:21 PM
BACKUP!
Can't state this enough. Always back up your important files to a remote location. I've seen this happen first hand and you can easily render ransomware ineffective if they do not have leverage over you. IE) The data they encrypted doesn't matter to you because you have a backup elsewhere.
Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.