Malvertising campaign delivers digitally signed CryptoWall ransomware

The wave of attacks through malicious advertisements continues to hit visitors of popular websites

The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.

Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate obtained from DigiCert. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.

Several websites in the Alexa top 15,000 list were affected by this latest malvertising -- malicious advertising -- campaign including, the site of Indian daily newspaper Hindustan Times; Israeli sports news site; and Web development community

"In every case, malicious content arrived via the site's use of the Zedo ad network," the Barracuda researchers said in a blog post Sunday.

Zedo together with Google's DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and websites among others. That attack campaign distributed a malware program called Zemot.

In a malvertising attack visitors' browsers are redirected by rogue ads to third-party pages that execute exploits for vulnerabilities in outdated browser plug-ins like Java, Flash Player, Adobe Reader or Silverlight.

"Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim's system," the Barracuda researchers said in their analysis of the new attack. "The particular instance delivered via tonight's campaign has a valid digital signature and appears to have been signed just hours before its distribution."

CryptoWall is a particularly nasty ransomware program. Once installed on a system it encrypts files that match a long list of file extensions using strong public-key cryptography. It then asks victims to pay a ransom in Bitcoin in order to receive the key needed to recover their files.

There's currently no completely reliable method of recovering CryptoWall-encrypted files aside from paying the ransom or restoring them from backups that haven't been damaged during the infection. Security researchers advise against paying the ransom because this helps further the fraud and there's no guarantee of getting the key when dealing with cybercriminals.

A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.

The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.

The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.

In order to protect themselves against malvertising and drive-by download attacks in general users should keep the software installed on their computers up to date, especially the Web browsers and their plug-ins. They should also enable click-to-play for plug-in based content if the feature is available in their preferred browser.

Join the CSO newsletter!

Error: Please check your email address.

Tags Barracuda NetworkssecurityZedoencryptionExploits / vulnerabilitiesmalwarefraud

More about Barracuda NetworksDellDoubleClickGoogleSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place