Over the weekend, The NY Times, BBC, Newsweek, AOL, MSN, The HIll and other major news sites had their ad networks hijacked again by criminals using the Angler Exploit Kit to deliver TeslaCrypt ransomware.
Our friends at Malwarebytes reported a spike in malicious traffic that impacted a large amount of websites, indicating that we are dealing with experienced cybercriminals that have done this many times before. The new wrinkle this time is that the bad guys acquired an expired domain of a small but probably legit advertising company, which made it possible to fly under the radar and spread their ransomware.
Trend Micro reported similar attacks, and noted that since March 9, there has been a noticeable increase in Angler-based activity. Angler has also been recently updated to exploit additional vulnerabilities and was the top Exploit Kit in 2015, we will see if that holds true again this year. It's possible the attacks impacted tens of thousands of users in under 24-hours.
Steve Ragan at CSO Online wrote: "Ransomware is quickly becoming the go to payload for criminals because it's a quick payout with little overhead. Generating variants of new ransomware costs the criminal nothing after the initial development fee is paid, and running a campaign costs pennies per victim.
Two payments often cover the cost of an entire campaign, and the rest is pure profit. As an attack, ransomware is also difficult to deal with, because victims are sometimes forced to pay the ransom due to a lack of current or working backups. This is the case for victims at home and the office."
It is very important to step users through effective security awareness training, so that they are aware of ad poisoning attacks and "Think Before They Click".
Here is a suggestion:
Do a Phishing Security Test on your users and find out if they are going to click on something they shouldn't. Get started here: