Ad-borne Cryptowall Ransomware Claims Fresh Victims

01 yahoo finance malvertisementThe phones have been ringing off the hook here at KnowBe4. Not customers of ours but people that were hit with CryptoWall V2.0, needed bitcoin urgently, did a websearch and wound up with us because of our crypto-ransom guarantee.

The folks at Proofpoint just wrote a long blog post explaining exactly why this is. In a nutshell, CryptoWall V2.0 now uses poisoned ads on sites like Yahoo, AOL and to infect networks.

They said: "The sites themselves were not compromised; rather, the advertising networks upon which they relied for dynamic content were inadvertently serving malware".

This means a so-called drive-by-dowload where the user does not have
to click on anything. Up to now, CryptoWall was spread via spam with infected email attachments and download links sent by the Cutwail botnet.

The website visitors impacted by this malvertising are people who run vulnerable versions of Adobe Flash Player. According to Proofpoint "the malvertisements silently ‘pull in' malicious exploits from the FlashPack Exploit Kit”.

According to security researchers at Dell SecureWorks, more than 830,000 victims worldwide have been infected with ransomware, a 25% increase in infections since late August when there were 625,000 victims. 

The ransoms demanded usually are $500 and double when the deadline is exceeded to $1,000, with that deadline normally being 4 to 7 days. Even the bad guys understand it's not always easy to get your hands on bitcoin fast. Counting the ransom payments to CryptoWall's Bitcoin addresses, Proofpoint estimates that the attackers make $25,000 per day.

Recent data taken directly from the CryptoWall ransom payment server shows a total of just over one $1,000,000 had been paid from March through August 2014, and since then a further 205,000 new victims have been claimed.

So, apart from (close to) real-time fileserver backups I now also strongly recommend to deploy ad blockers for all the browsers in your organization if you have not already done that, or make sure you use endpoint security that has ad-blocking built-in. Focus on all endpoints being fully patched, Windows and all third party apps. Also, configure endpoint browsers to only execute plug-in content when clicked rather than automatically.

Some browsers like Google Chrome and Mozilla Firefox allow you to enable click-to-play for
plug-in based content, which can stop the automatic execution on exploits that target browser plug-ins. Deploying a whitelisting product on all machines is also something you could look at.

Having an Acceptable Use Policy (AUP) in place that forbids employees to use their machines for private browsing and have an edge device that blocks selected groups of websites (like all social media) is also more and more something you should have in place.

And obviously stepping all employees through effective security awareness training is a must these days. Find out how affordable this is for your own organization. Click on the button and get a quote:

Stop RansomWare


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews