Endpoint
6/29/2015
03:40 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Clever CryptoWall Spreading Via New Attacks

Top ransomware doesn't waste time jumping on the latest Flash zero-day, and hops rides on click fraud campaigns, too.

The CryptoWall ransomware operators continue to innovate -- not only improving the payload itself, but also expandings its methods of proliferation.

For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit -- including CryptoWall.

As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.

The threat actors running the Rerdom and Rovnix Trojans had first dibs -- but through a chain of events that took only two hours, some victims were eventually infected with CryptoWall as well.

"The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats," said Damballa CTO Stephen Newman.

The ransomware also found its way into the Magnitude exploit kit. Over the weekend, French researcher Kafeine discovered that Magnitude had added exploits for the critical Flash zero-day vulnerability that Adobe released an emergency out-of-band patch for last week. (The vulnerability, CVE-2015-3113, was linked to Chinese advanced persisted threat group APT3, according to FireEye.) Kafeine also saw two samples that were installing Cryptowall against a Windows 7 machine running Internet Explorer 11.

These are just the latest in a variety of new infection vectors CryptoWall operators have begun using. CryptoWall added the ability to execute 64-bit code directly from a 32-bit dropper. It was found proliferating through spam with malicious .chm attachments. And it was dropping via the elusive HanJuan exploit kit as part of a malvertising campaign

Last week, the FBI stated that between ransoms and recovery costs, CryptoWall had cost Americans over $18 million between April 2014 and June 2015. The Bureau called CryptoWall "the most current and significant ransomware threat targeting U.S. individuals and businesses."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
7/2/2015 | 7:45:13 AM
Re: BACKUP!
Haha, thats a funny and interesting "parable". I am definitly going to be using that soon.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:44:14 PM
PDs
It's been really disheartening to see police departments/law enforcement agencies in particular give in to ransomware demands.

I'm not sure which is the more depressing aspect of this -- that the organizations that are supposed to protect us are powerless against these attackers, or that they failed to back up their data.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/30/2015 | 11:41:56 PM
Re: BACKUP!
Reminds me of a story...

Jesus and Satan get into an argument over who the better programmer is.  They decide to settle it with a 24-hour contest (with God as the judge).

They take their seats before their respective terminals, the contest begins, and they get to work -- furiously typing non-stop.

Finally, a couple of minutes before the contest is about to draw to a close, there is a power outage!  The computers go out, and all the lights go out.

The power comes back on almost immediately, and the contest ends.

God approaches Satan, asking him to show his work.

Satan complains, "The power outage took everything!  I lost it all!"

God then turns to Jesus.  Jesus types in a command at the prompt, presses Enter, and the screen bursts forth with a vivid, colorful display while the speakers pump out Handel's "Messiah."

Satan is agape as God declares Jesus the winner.

"But...how???!!!" says Satan in disbelief.  "I lost my entire program.  How did he do it?"

God looks over at the fallen angel and replies, "Jesus saves."
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/30/2015 | 12:54:21 PM
BACKUP!
Can't state this enough. Always back up your important files to a remote location. I've seen this happen first hand and you can easily render ransomware ineffective if they do not have leverage over you. IE) The data they encrypted doesn't matter to you because you have a backup elsewhere.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
DNS Threats: What Every Enterprise Should Know
Domain Name System exploits could put your data at risk. Here's some advice on how to avoid them.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Tim Wilson speaks to two experts on vulnerability research – independent consultant Jeremiah Grossman and Black Duck Software’s Mike Pittenger – about the latest wave of vulnerabilities being exploited by online attackers