lolloj - Fotolia

Crypto ransomware lurks in ads on popular websites

Security researchers warn that the major ransomware malvertising campaign that hit popular websites at the weekend may not be over yet

Crypto ransomware has been found lurking in adverts served on popular websites including the BBC, the New York Times, MSN and AOL.

The UK’s National Crime Agency and the FBI have issued warnings about a sudden spike in  ransomware, which is malware that typically encrypts data on a target computer and demands a ransom in exchange for the decryption key.

In the latest campaign, various security research teams have discovered ransomware in ads served on news sites last weekend through a compromised online advertising network.

The ransomware was being spread using the Angler exploit kit, which includes tools for cyber attackers to take advantage of vulnerabilities in browser plugin software such as Adobe Flash and Microsoft Silverlight, researchers at security firm Trend Micro said in a blog post.

Once loaded in a browser, the compromised ads – commonly know as malvertising – linked to a cyber criminal server that uses the Angler exploit kit to infect victims with ransomware and other malware.

Malvertising typically occurs when cyber criminals create adverts that are perceived as legitimate, but spread malware by hiding a small piece of code deep in an advert which connects a victim’s computer to criminal servers, said Ben Harknett, vice-president for Europe at security firm RiskIQ

“Unfortunately, using malvertising as a method of covertly spreading malware is only growing in popularity,” he said. “Recent research we carried out at RiskIQ revealed that malvertising jumped up over 300% year on year between 2014 and 2015 following a string of major publishing sites, such as Forbes.com, Huffington Post and the Daily Mail, being exploited by malvertising campaigns.

“We also found that the most common lure used in malvertisements in 2015 to date has been fake Flash updates, the same software that was exploited across the Yahoo ad network.”

According to a Truswave SpiderLabs blog post, this latest malvertising campaign saw Angler infect victims with both the Bedep trojan and the TeslaCrypt ransomware.

Trend Micro researchers said the most prominent sites appeared to be no longer carrying the bad ads following swift action by major ad networks, but they warned that the malvertising campaign is ongoing and continues to put users at risk of downloading malware into their systems.

Read more about ransomware

The risk of infection is heightened by the fact that the Angler exploit kit is believed to have been updated recently to exploit further vulnerabilities.

Security consultants are advising businesses and consumers to keep their applications and systems up to date with the latest security patches.

Other recommendations include uninstalling or disabling as many applications and software such as Adobe Flash, Oracle Java, Microsoft Silverlight and other third-party browser extensions as possible.

In March 2016, security researchers uncovered what is believed to be the first active malware to encrypt Apple Mac computers and demand ransom to unlock them.

Mac computers tend to be regarded as relatively safe from attack, but the migration of ransomware targeting the Microsoft Windows operating system to Apple’s Mac OS X is yet another indicator that things are changing.

Ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services, according to the UK National Crime Agency.

In 2013, the NCA’s National Cyber Crime Unit (NCCU) warned of a mass email-borne Cryptolocker ransomware campaign aimed at small and medium-sized enterprises (SMEs) and consumers.

Since then, ransomware has become increasingly popular with cyber criminals, with its use increasing by 58% in the second quarter of 2015, according to a threat report by Intel Security. Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers.

Next Steps

Frequent data backups can help you recover from ransomware 

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Here's a nasty thought for when the IP Bill gets passed

All our web site accesses will be logged & will be available without a warrant to the authorities, at least that's the current plan.

So say some terrorist group hijacks an advert and instead of a ransomware payload they have a script that downloads content from terrorist sites & dumps it in a hidden element on the page.

The user would be completely unaware of this, but your terrorist site access would be logged & stay on file for up to a year.

Say the terrorists then remove the malware from the ad so there's no evidence it was ever there.

How long do you think it would be before a government fishing expedition trawls through your web log & you get dragged from your bed by heavily armed men demanding to know about your terrorist affiliations ?

You will of course deny any knowledge but the authorities will have the web log as evidence & they will tear your life and probably that of your friends, family & co workers apart looking for more.

They may eventually realise their error, but do you still think you will have a home or family by that time.

This is a major hole in the IP Bill, I advise you to get your MP to plug it before this becomes law.
Cancel
This is why our filters block many sites that people think are innocuous. One example I heard recently was that the legitimate site of a well known television chef was blocked because their website was notorious for ads that contained this type of malware.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close