lolloj - Fotolia

Crypto ransomware lurks in ads on popular websites

Security researchers warn that the major ransomware malvertising campaign that hit popular websites at the weekend may not be over yet

Crypto ransomware has been found lurking in adverts served on popular websites including the BBC, the New York Times, MSN and AOL.

The UK’s National Crime Agency and the FBI have issued warnings about a sudden spike in  ransomware, which is malware that typically encrypts data on a target computer and demands a ransom in exchange for the decryption key.

In the latest campaign, various security research teams have discovered ransomware in ads served on news sites last weekend through a compromised online advertising network.

The ransomware was being spread using the Angler exploit kit, which includes tools for cyber attackers to take advantage of vulnerabilities in browser plugin software such as Adobe Flash and Microsoft Silverlight, researchers at security firm Trend Micro said in a blog post.

Once loaded in a browser, the compromised ads – commonly know as malvertising – linked to a cyber criminal server that uses the Angler exploit kit to infect victims with ransomware and other malware.

Malvertising typically occurs when cyber criminals create adverts that are perceived as legitimate, but spread malware by hiding a small piece of code deep in an advert which connects a victim’s computer to criminal servers, said Ben Harknett, vice-president for Europe at security firm RiskIQ

“Unfortunately, using malvertising as a method of covertly spreading malware is only growing in popularity,” he said. “Recent research we carried out at RiskIQ revealed that malvertising jumped up over 300% year on year between 2014 and 2015 following a string of major publishing sites, such as, Huffington Post and the Daily Mail, being exploited by malvertising campaigns.

“We also found that the most common lure used in malvertisements in 2015 to date has been fake Flash updates, the same software that was exploited across the Yahoo ad network.”

According to a Truswave SpiderLabs blog post, this latest malvertising campaign saw Angler infect victims with both the Bedep trojan and the TeslaCrypt ransomware.

Trend Micro researchers said the most prominent sites appeared to be no longer carrying the bad ads following swift action by major ad networks, but they warned that the malvertising campaign is ongoing and continues to put users at risk of downloading malware into their systems.

Read more about ransomware

  • Businesses are still getting caught by ransomware, despite the fact that there are fairly straightforward methods to avoid it.
  • Criminals use devices compromised for click fraud as the initial step in a chain of infections leading to ransomware attacks, warns security firm Damballa.
  • The first half of 2014 saw an increase in online attacks that lock up user data and hold it to ransom.
  • The Cryptolocker ransomware caught many enterprises off guard – but there is a defence strategy that works against it.

The risk of infection is heightened by the fact that the Angler exploit kit is believed to have been updated recently to exploit further vulnerabilities.

Security consultants are advising businesses and consumers to keep their applications and systems up to date with the latest security patches.

Other recommendations include uninstalling or disabling as many applications and software such as Adobe Flash, Oracle Java, Microsoft Silverlight and other third-party browser extensions as possible.

In March 2016, security researchers uncovered what is believed to be the first active malware to encrypt Apple Mac computers and demand ransom to unlock them.

Mac computers tend to be regarded as relatively safe from attack, but the migration of ransomware targeting the Microsoft Windows operating system to Apple’s Mac OS X is yet another indicator that things are changing.

Ransomware is one of the top international cyber threats, along with distributed denial of service (DDoS) attacks and bullet-proof hosting services, according to the UK National Crime Agency.

In 2013, the NCA’s National Cyber Crime Unit (NCCU) warned of a mass email-borne Cryptolocker ransomware campaign aimed at small and medium-sized enterprises (SMEs) and consumers.

Since then, ransomware has become increasingly popular with cyber criminals, with its use increasing by 58% in the second quarter of 2015, according to a threat report by Intel Security. Research has shown that relatively low-cost ransomware attacks typically net thousands of pounds a week for attackers.

Next Steps

Frequent data backups can help you recover from ransomware 

Read more on Hackers and cybercrime prevention