Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims.
Though earlier we saw the samples of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware malwares, the recent ones are more subtle in design, including Cryptolocker, Icepole, PrisonLocker, CryptoDefense and its variants.
Now, the ransomware dubbed as Crytowall, a latest variant of the infamous ransomware Cryptolocker is targeting users by forcing them to download the malicious software by through advertising on the high profile domains belonging to Disney, Facebook, The Guardian newspaper and others.
Cryptolocker is designed by the same malware developer who created the sophisticated CryptoDefense (Trojan.Cryptodefense) ransomware, appeared in the end of March, that holds the victims’ computer files hostage by wrapping them with strong RSA 2048 encryption until the victim pays a ransom fee to get them decrypted.
But unfortunately, the malware author failed to realize that he left the decryption keys left concealed on the user’s computer in a file folder with application data.
So, to overcome this, the developer created Cryptowall ransomware and alike the latest versions of CryptoDefense, the infected system’s files and documents encrypted by CryptoWall are impossible to decrypt.
The story broke, when researchers at Cisco revealed that cybercriminals have started targeting people with RIG Exploit Kits (EK) to distribute malicious Cryptowall ransomware malware.
The Rig Exploit Kit was first spotted by Kahu Security in April, which checks for an unpatched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors.
Researchers at Cisco have noticed high levels of traffic consistent with the new “RIG” exploit kit, thereby blocking requests to over 90 domains. On further investigation, the company observed that many of its Cloud Web Security (CWS) users were visiting on those malicious domains after clicking advertisements on high-profile domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” and many others.
If clicked, the advertisements redirect victims to one of those malicious domains in order to malvertise users and once the system get infected with the RIG Exploit Kit, it will deliver the payload which includes the Cryptowall Ransomware malware.
Now, when this CryptoWall is installed in the infected system, it will start scanning the system Hard Drive for data files and encrypt them.
After encrypting the files on victim's system, it will create files containing ransom instructions in every folder it had encrypted, demanding up to $500 USD. The service where users are instructed to pay the ransom amount is a hidden service that uses the Command-and-Control server hosted on TOR .onion domain.
The largest share of infections, some 42 percent, are in the United States, followed by England and Australia, but it believes that several groups and bad actors are involved in this attack chain.