The cybercriminals behind the CryptoWall ransomware threat have stepped up their game and are digitally signing new samples before using them in attacks in an attempt to bypass antivirus detection.
Researchers from network security firm Barracuda Networks found new CryptoWall samples that were digitally signed with a legitimate certificate. The samples were distributed through drive-by download attacks launched from popular websites via malicious advertisements.
Several websites in the Alexa top 15,000 list were affected by this latest malvertising—malicious advertising—campaign including hindustantimes.com, the site of Indian daily newspaper Hindustan Times; Israeli sports news site one.co.il; and Web development community codingforums.com.
“In every case, malicious content arrived via the site’s use of the Zedo ad network,” the Barracuda researchers said in a blog post Sunday.
Zedo together with Google’s DoubleClick ad network were also used by attackers this month to post malicious advertisements on the Times of Israel, the Jerusalem Post and Last.fm websites among others. That attack campaign distributed a malware program called Zemot.
In a malvertising attack visitors’ browsers are redirected by rogue ads to third-party pages that execute exploits for vulnerabilities in outdated browser plug-ins like Java, Flash Player, Adobe Reader or Silverlight.
“Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system,” the Barracuda researchers said in their analysis of the new attack. “The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution.”
CryptoWall is a particularly nasty ransomware program. Once installed on a system it encrypts files that match a long list of file extensions using strong public-key cryptography. It then asks victims to pay a ransom in Bitcoin in order to receive the key needed to recover their files.
There’s currently no completely reliable method of recovering CryptoWall-encrypted files aside from paying the ransom or restoring them from backups that haven’t been damaged during the infection. Security researchers advise against paying the ransom because this helps further the fraud and there’s no guarantee of getting the key when dealing with cybercriminals.
A recent analysis of the CryptoWall operation by Dell SecureWorks revealed that the malware has infected more than 600,000 computer systems since March and earned its creators over US$1 million.
The digital signing of CryptoWall samples is likely an attempt to evade antivirus detection. The success of this approach is debatable since this practice is no longer uncommon among malware developers and many security products account for it. However, there might be cases where signing malware with certificates stolen from trusted developers might bypass some application whitelisting rules.
The new CryptoWall samples were not detected by any of the 55 antivirus products used on the VirusTotal website when they were discovered Sunday, the Barracuda researchers said. The detection rate has slightly increased since then, they said.
In order to protect themselves against malvertising and drive-by download attacks in general users should keep the software installed on their computers up to date, especially the Web browsers and their plug-ins. They should also enable click-to-play for plug-in based content if the feature is available in their preferred browser.
Correction (10/3): Due to incorrect information from a source, the first sentence of the second paragraph of the story, "Malvertising campaign delivers digitally signed CryptoWall ransomware," incorrectly stated the source of a digital certificate.