Skip to content ↓ | Skip to navigation ↓

A toy maker’s website is unwittingly serving up ransomware that encrypts visitors’ files.

Jérôme Segura, a senior security researcher at Malwarebytes, recently discovered malicious files hosted directly on the homepage for Maisto, an American toy maker that is known worldwide for its model automobiles, airplanes, and motorcycles.

After discovering the files, Segura used a tool developed by security firm Securi to determine that Maisto was running on a Microsoft Internet Information Services (IIS) server and showing an outdated version of the Joomla Content Management System, which made it vulnerable to automated hacking attacks.

The researcher has seen this type of attack before–quite recently, in fact.

“Malicious code was injected directly into the homepage and bears the same pattern as the pseudo-darkleech campaign, also discovered by Sucuri,” he states. “Brad Duncan [of Palo Alto Networks] wrote a nice piece titled “Campaign Evolution: Darkleech to Pseudo-Darkleech and Beyond“, which shows how the attack that once only affected Apache servers also targets Microsoft IIS.”

Equipped with this knowledge, Segura and his fellow researchers reran the Maisto attack from the safety of their lab. They discovered that the malicious files hosted on the toy maker’s homepage were pushing out the Angler exploit kit, which in turn served up Bedep malware.

Bedep has the ability to download secondary malicious software. In this particular attack campaign, the malware served up CryptXXX, a form of crypto-ransomware that appends the .CRYPT extension to each infected file, displays a ransom message, and asks for US $500 in payment. The ransomware can also steal Bitcoins and other information.

maisto ransomware
Source: Malwarebytes

Fortunately for users, Kaspersky Lab recently developed a utility that allows victims of CryptXXX to decrypt their encrypted files for free.

Segura has reached out to Maisto. He has yet to hear back from the company.

Exploit kit attack campaigns, including one that affected some of the world’s most popular news and entertainment websites back in March, are designed to compromise machines with unpatched software vulnerabilities. With that in mind, it is important that users implement security updates as soon as they become available.