The CryptoWall ransomware operators continue to innovate -- not only improving the payload itself, but also expandings its methods of proliferation.
For example, within two hours, a device hijacked for relatively innocent click fraud attacks can become a conduit for far more serious kit -- including CryptoWall.
As researchers at Damballa explain in their latest State of Infections Report, operators of the RuthlessTreeMafia click fraud malware campaign infect client machines via the Asprox botnet. As a second revenue stream, they sell other attackers access to those bots.
The threat actors running the Rerdom and Rovnix Trojans had first dibs -- but through a chain of events that took only two hours, some victims were eventually infected with CryptoWall as well.
"The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats," said Damballa CTO Stephen Newman.
The ransomware also found its way into the Magnitude exploit kit. Over the weekend, French researcher Kafeine discovered that Magnitude had added exploits for the critical Flash zero-day vulnerability that Adobe released an emergency out-of-band patch for last week. (The vulnerability, CVE-2015-3113, was linked to Chinese advanced persisted threat group APT3, according to FireEye.) Kafeine also saw two samples that were installing Cryptowall against a Windows 7 machine running Internet Explorer 11.
These are just the latest in a variety of new infection vectors CryptoWall operators have begun using. CryptoWall added the ability to execute 64-bit code directly from a 32-bit dropper. It was found proliferating through spam with malicious .chm attachments. And it was dropping via the elusive HanJuan exploit kit as part of a malvertising campaign.
Last week, the FBI stated that between ransoms and recovery costs, CryptoWall had cost Americans over $18 million between April 2014 and June 2015. The Bureau called CryptoWall "the most current and significant ransomware threat targeting U.S. individuals and businesses."