Ransomware campaigns have been cropping up by the dozens since the success of Cryptolocker and the latest to join the lineup is Cryptowall that utilises a combination of an exploit kit and malicious advertisements on high-profile websites as a spreading mechanism.

The ransomware is using RIG exploit kit as a distribution mechanism, which in turn exploits vulnerabilities in unpatched version of Flash (CVE-2013-0634), Silverlight (CVE-2013-0074) and Java (CVE-2013-2465 and CVE-2012-0507) to infect victim systems.

According to an extensive analysis of the RIG exploit kit by Cisco and the traffic patterns it has observed for its Cloud Web Security (CWS) customers, RIG is using malvertising for drive-by attacks on visitors of high-profile and legitimate websites including apps.Facebook.com, theguardian.com, jerusalempost.com, wiki.answers.com, streetmap.co.uk, elderscrolls.wikia.com among other such 55 domains.

Once a victim’s system is successfully exploited, RIG exploit kit drops the Cryptowall ransomware with an initial demand of anywhere between $200 and $500.

“Like other forms of ransomware, Cryptowall encrypts your local files and requires you to pay a ransom for the key stored on their servers. Upon infecting our test system, we were provided with the above links to TOR sites, and a personal identification number. Visiting the page presents you with a captcha followed by information about your ransom” notes Cisco.

The warning on the ransom page informs users that if they do not abide by the ransom demand within a few days, the ransom will triple and subsequent neglect would force it to permanently delete the decryption keys thereby rendering victim’s personal data unretrievable.

Cisco notes in its analysis report that the ad requests were observed to originate from ads1.solocpm.com, which in turn was redirecting from ams1.ib.adnxs.com that had the referrer field linked to multiple high-profile and legitimate websites.

“Around 47% of the requests for RIG landing pages that we have seen came from this ads1.solocpm.com host, and of these, 90 were redirects from adnxs.com domains”, noted Cisco.

According to Cisco, most of the infections were observed in the US followed by UK.

  • John Walker

    So far i’ve heard eset and Symantec are detecting this. If you have any weird .ZIP files scan them through a free multi scanner like Metascan online or VT