With the highly publicized release of Microsoft’s Windows 10 on July 29th, scammers and malware developers were quick to jump in and use it as a method of distributing malware. Cisco’s Talos Group has discovered a email campaign underway that pretends to be from Microsoft and contains an attachment that will supposedly allow you to upgrade to Windows 10. In reality, though, this email is fake and once you double-click on the attached file, you will instead become infected with the encrypting ransomware CTB-Locker.
Image of fake Windows Update Email courtesy of Cisco
As you can see the email pretends to be from the email address update@microsoft.com and contains the subject [b]Windows 10 Free Update. Even the email message looks legitimate with no spelling mistakes or strange grammar. This is because the content is copied directly from Microsoft’s site. The only tell-tale sign is that there will be some characters that do not render properly. Unfortunately, this small sign will not be enough for many people to notice.
Furthermore, once they download the attachment and extract it, the attached Win10Installer.exe icon will be the familiar Windows 10 logo.
It isn’t until you inspect the file properties of the attachment, do you see that something is not right as its file description will be iMacros Web Automation and the copyright for the program will belong to Ipswitch. Ipswitch is a legitimate company and not the ones who released this malware.
Finally, if a user double-clicks on the Win10Installer.exe file, they will not be greeted with the normal Windows 10 upgrade screen. Instead, after a brief delay they will be shown the screen for the CTB-Locker ransomware.
At this point, the computer’s data will be encrypted and there is not much that can be done about it.
Since the Angler Exploit Kit began in late May spreading Cryptowall 3.0 ransomware, traffic containing the malware has continued to grow, putting more potential victims in harm’s way.
A week ago, the SANS Internet Storm Center reported that Cryptowall 3.0 infections are emanating from not only the prolific exploit kit, but also from malicious spam campaigns. The two means of infections share some common characteristics, lending credence to the theory that the same group may be behind both. Version 3.0 is the latest iteration of Cryptowall, which is also known as Crowti. Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks. Researchers at Cisco in February said that Cryptowall 3.0 abandoned using a dropper for propagation, opting instead to use exploit kits.
As of this morning, SANS incident handler and Rackspace security researcher Brad Duncan said that the latest run of Angler Exploit Kit traffic showed that the attackers had added a different Bitcoin address than the one used previously.
At this point, I’m not 100 percent certain it’s the same actor behind all this Cryptowall 3.0 we’ve been seeing lately,” Duncan wrote on the SANS ISC website. “However, my gut feeling tells me this activity is all related to the same actor or group. The timing is too much of a coincidence.
Duncan said that a check on blockchain.info for activity on the two Bitcoin addresses shows some transactions, indicating some victims are paying the ransom.
“We’re seeing a lot more samples of CryptoWall 3.0 in the spam/EK traffic now than before, so maybe the increased exposure might help infect more computers,” Duncan said, adding that he had no data on whether any of the victims who did pay the ransom were receiving encryption keys and are able to salvage their data.
Duncan said this latest spike began May 25 from both the malicious spam and Angler angles; both campaigns were still active as of early this morning.
The spam campaign uses Yahoo email addresses to send Cryptowall 3.0 via attachments. The attachments are called my_resume.zip and contain an HTML file called my_resume.svg. Duncan said the attackers have begun appending numbers to the file names, such as resume4210.html or resume9647.html.
Opening the attachment and extracting the malicious file gives you an HTML document. If you open one of these HTML files, your browser will generate traffic to a compromised server,” Duncan wrote. “The return traffic is gzip compressed, so you won’t see it in the TCP stream from Wireshark. Exporting the text from Wireshark shows HTML that points to a shared document from a Google server.
Cryptowall is hosted on a number of different docs.google.com URLs, he said, a list of which is posted on the SANS website. The Bitcoin address used for payment in the spam campaign is 16REtGSobiQZoprFnXZBR2mSWvRyUSJ3ag, the same address found in other spam samples.
Infections coming from Angler began May 26, and were the first Cryptowall 3.0 infections seen from Angler. The Bitcoin address used in Angler infections is 16Z6sidfLrfNoxJNu4qM5zhRttJEUD3XoB, SANS said. Duncan reports that a second Bitcoin address, 12LE1yNak3ZuNTLa95KYR2CQSKb6rZnELb, was used as of today.
“There are any number of reasons to use more than one Bitcoin address. It could be a back-up, in case law enforcement is closing in on the other one. It could be a way to track different infections, geographically,” Duncan said. “I’m not sure on this one. It’s just my gut feeling, which could be wrong.”
Duncan said that a new slate of WordPress sites were redirecting to Angler in this campaign, based on web injects observed.
“The significance is that there are plenty of vulnerable websites running outdated or unpatched versions of WordPress,” Duncan said. “The actors behind this (and other) campaigns will have a continuous supply of websites that can be compromised and used for these efforts.”
Attackers have been leveraging the FlashPack Exploit Kit to peddle the CryptoWall 2.0 ransomware on unsuspecting visitors to sites such as Yahoo, The Atlantic and AOL. Researchers believe that for about a month the malvertising campaign hit up to 3 million visitors and netted the attackers $25,000 daily.
According to experts at Proofpoint, a firm that primarily specializes in email security, the exploit kit targeted a vulnerability in Adobe Flash via users’ browsers to install the ransomware on users’ machines.
Malvertising is an attack that happens when attackers embed malicious code – in this case code that led to the latest iteration of CryptoWall – into otherwise legitimate ads to spread malware via drive-by downloads. Users can often be infected without even clicking on anything.
CryptoWall, which takes users’ files, encrypts them with rigid RSA-2048 encryption, then asks for a fee to decrypt them, made a killing earlier this summer. In August it was reported that the ransomware made more than $1.1 million for its creators in just six months.
Similar to Critoni/Onion, a ransomware dug up in July, CryptoWall 2.0 downloads a TOR client on the victim’s machine, connects to a command and control server and demands users send Bitcoin – $500 worth – to decrypt their files. Since the campaign lasted about a month, from Sept. 18 to this past Saturday, researchers are estimating that 40 of the campaign’s Bitcoin addresses collected at least 65 BTC each, a number that roughly translates to $25,000 a day.
Proofpoint claims that high ranking sites such as AOL, The Atlantic, Match.com and several Yahoo subdomains such as their Sports, Fantasy Sports and Finance sites, were spotted serving up the tainted ads. Other sites lesser known in the U.S. such as Australia’s Sydney Morning Herald, The Age, and the Brisbane Times, were reportedly also doling out the ads.
While the campaign started a month ago the firm claims things didn’t start to ramp up until recently.
“After crossing a threshold level, it became possible to associate the disparate instances with a single campaign impacting numerous, high-traffic sites,” Wayne Huang, the company’s VP of Engineering, said of the campaign.
The firm claims it worked quickly to notify those involved in the campaign, including the ad providers, and as of this week, believes the situation has been nullified.
Last month researchers with Barracuda Labs found a CryptoWall variant with certificate signed by Comodo being distributed through ads on a handful of different websites. None of those sites were nearly as trafficked as those spotted by this most recent campaign however. The Alexa rankings for Yahoo (4), AOL (37), Match (203), and The Atlantic (386) place them within the top 500 of the internet’s most popular sites, something that likely upped the campaign’s exposure level.
Ransomware is an emerging threat in the evolution of cybercriminals techniques to part you from your money. Typically, the malicious software either lock victim’s computer system or encrypt the documents and files on it, in order to extort money from the victims.
Though earlier we saw the samples of Ransomware tended to be simple with dogged determinations to extort money from victims. But with the exponential rise in the samples of Ransomware malwares, the recent ones are more subtle in design, including Cryptolocker, Icepole, PrisonLocker, CryptoDefense and its variants.
Now, the ransomware dubbed as Cryptowall, a latest variant of the infamous ransomware Cryptolocker is targeting users by forcing them to download the malicious software by through advertising on the high profile domains belonging to Disney, Facebook, The Guardian newspaper and others.
Cryptolocker is designed by the same malware developer who created the sophisticated CryptoDefense (Trojan.Cryptodefense) ransomware, appeared in the end of March, that holds the victims’ computer files hostage by wrapping them with strong RSA 2048 encryption until the victim pays a ransom fee to get them decrypted.
But unfortunately, the malware author failed to realize that he left the decryption keys left concealed on the user’s computer in a file folder with application data.
So, to overcome this, the developer created Cryptowall ransomware and alike the latest versions of CryptoDefense, the infected system’s files and documents encrypted by CryptoWall are impossible to decrypt.
The story broke, when researchers at Cisco revealed that cybercriminals have started targeting people with RIG Exploit Kits (EK) to distribute malicious Cryptowall ransomware malware.
The Rig Exploit Kit was first spotted by Kahu Security in April, which checks for an unpatched version of Flash, Internet Explorer, Java or the Silverlight multimedia program on the infected users and if found, the system is instantly exploited by the bad actors.
Researchers at Cisco have noticed high levels of traffic consistent with the new “RIG” exploit kit, thereby blocking requests to over 90 domains. On further investigation, the company observed that many of its Cloud Web Security (CWS) users were visiting on those malicious domains after clicking advertisements on high-profile domains such as “apps.facebook.com,” “awkwardfamilyphotos.com,” “theguardian.co.uk” and “go.com,” and many others.
cryptowall ransomware If clicked, the advertisements redirect victims to one of those malicious domains in order to malvertise users and once the system get infected with the RIG Exploit Kit, it will deliver the payload which includes the Cryptowall Ransomware malware.
Now, when this CryptoWall is installed in the infected system, it will start scanning the system Hard Drive for data files and encrypt them.
After encrypting the files on victim’s system, it will create files containing ransom instructions in every folder it had encrypted, demanding up to $500 USD. The service where users are instructed to pay the ransom amount is a hidden service that uses the Command-and-Control server hosted on TOR .onion domain.
The largest share of infections, some 42 percent, are in the United States, followed by England and Australia, but it believes that several groups and bad actors are involved in this attack chain.