Skip to content ↓ | Skip to navigation ↓

Researchers at Cisco have found a high number of malicious ads employing the newly detected “RIG” exploit kit (EK) that lead to ransomware on major websites belonging to the likes of Disney, Facebook, and The Guardian newspaper, according to a report.

“RIG’s appearance is significant in three ways. First, because of the sheer amount of traffic we are seeing — we have so far blocked requests to over 90 domains for more than 17% of our Cloud Web Security (CWS) customers. Second, because we have seen it being used to distribute ‘Cryptowall’, the latest ransomware to follow in the success of the now infamous ‘Cryptolocker” wrote Cisco’s Andrew Tsonchev.

“And third, because it continues the trend of an increased reliance upon Silverlight in EKs which we have previously written about for both the Fiesta and Angler kits. Like these other kits, we have seen RIG using malvertising to perform a drive-by attack on visitors to high profile, legitimate websites. This accounts for the high amount of traffic we have seen in the last month.”

Tsonchev says analysis of the malicious traffic reveals that Flash was the most requested file content type, followed by Silverlight file types, and the java applet is being distributed by way of Java Web Start which uses jnlp files.

“Upon successful exploitation the payload is downloaded from paths with the query parameter “req=mp3″. We have observed this infection path resulting in Cryptowall ransomware. Like other forms of ransomware, Cryptowall encrypts your local files and requires you to pay a ransom for the key stored on their servers,” Tsonchev said.

“Upon infecting our test system, we were provided with the above links to TOR sites, and a personal identifcation number. Visiting the page presents you with a captcha followed by information about your ransom.”

Law enforcement agencies from around the world, including the European Cybercrime Centre (EC3) and the FBI, recently collaborated in an operation designed to disrupt the powerful Gameover Zeus botnet and seize servers supporting to the infamous ransomware known as CryptoLocker, as these types of malware have been gaining popularity in the last year.

“This threat should be taken seriously — other ransomware has been known to make good on its warnings of data loss. Given the recent high profile reports of an FBI shutdown of Cryptolocker, it is worth remembering that whilst Cryptolocker has proven to be an extremely potent threat it is just one of several forms of ransomware including Cryptowall and Cryptodefense,” Tsonchev continued.

“Ransomware has proved to be a very successful form of extortion and we are likely to see new variants on the Cryptolocker theme for quite some time.”

Read More Here…