Major Ransomware Campaign Hits Leading Websites Including MSN, BBC, AOL
Tens of thousands of users may have been infected in a matter of hours.
Researchers at Trustwave, Trend Micro and Malwarebytes recently came across a major malvertisiving campaign that successfully placed malicious ads on popular websites including MSN.com, NYTimes.com, BBC.com and AOL.com.
The ads redirected visitors to the Angler exploit kit, then infected them with both the Bedep Trojan and the TeslaCrypt ransomware, Trustwave SpiderLabs reports.
According to Trend Micro, tens of thousands of users may have been infected by the campaign in the space of 24 hours.
"[It] seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes," Trustwave SpiderLabs stated in a blog post describing the threat. "This provides them with high quality traffic from popular websites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK."
Tim Erlin, director of IT security and risk strategy at Tripwire, told eSecurity Planet by email that the campaign demonstrates that both malvertising and ransomware continue to be useful tools for cyber criminals. "While these websites don’t directly control the content delivered by ad providers, they are ultimately responsible for the end result," he said. "Strong security should be a valued feature from an ad network."
And RSA general manager and senior director Peter Tran said by email that the inclusion of ransomware in the attacks serves as a warning shot to those who handle critical infrastructure like transportation, logistics and utilities.
"The question is for these organizations becomes, what leverage [do] you have against these ransom demands? In the cyber world, you won't see the SWAT teams and negotiators come in to 'talk down' the demands and run the clock out," Tran said. "Data is king and its serious business to the ransomware cyber criminals."
A recent Intermedia survey of 275 IT consultants, conducted by Researchscape International, found that the true cost of ransomware, according to respondents, is employee downtime rather than the cost of the ransom itself.
Seventy-two percent of infected business users couldn't access their data for two days following a ransomware infection, and 32 percent lost access for five days or more.
Eighty-six percent of infections affected two or more employees, and 47 percent spread to 20 or more people.
"In the age of ransomware, what matters is how quickly employees are able to get back to work," Intermedia senior vice president Richard Walters said in a statement. "Traditional backup and file sharing solutions are increasingly inadequate when it comes to addressing this growing concern, putting businesses at risk."
Photo courtesy of Shutterstock.