Angler Exploit Kit Spreading Cryptowall 4.0 Ransomware


One of the most popular exploit kits, Angler, has been spotted spreading the ransomware Cryptowall 4.0.

As expected, it didn’t take long for one of the most popular exploit kits, Angler, to start spreading the latest iteration of Cryptowall ransomware.

A drive-by campaign that uses a one-two punch to drop Cryptowall 4.0 has been observed in the wild this week, according to researchers at Heimdal Security.

First, the password stealing malware Pony is dropped onto a system. After forwarding any sensitive site usernames and passwords along to command and control servers, the malware injects malicious script on those websites.

“The purpose of this action is to abuse legitimate access credentials to web servers and CMS [content management systems] used by websites, and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution,” Andra Zaharia of Heimdal wrote Wednesday.

From there, the victim is redirected from the legitimate site to a compromised site that drops Angler. Assuming it’s able to find a vulnerability on the system, Angler then exploits it and “force-feeds” the system Cryptowall 4.0.

The latest version of Cryptowall has barely been on the scene a month. The malware encrypts data on victims machines, but also filenames, something that makes it much trickier to recover them without paying the ransom.

Zaharia claims Heimdal has blocked more than 200 domains this week alone – many of which stem from a fairly stealthy bulletproof host in Ukraine – that attackers are using to propagate the ransomware.

Last week, a handler with the SANS Internet Storm Center noticed an attacker peddling the ransomware through the Nuclear Exploit Kit, the first time. the ransomware was moved via one of these tools.

The handler, Brad Duncan, who also works as a security engineer for Rackspace, said he didn’t expect Nuclear to be the only exploit kit to distribute Cryptowall 4.0 for long. It turns out attackers only needed an extra week to use Angler to redirect would-be victims to the ransomware.

Suggested articles


  • Dale Sutton on

    my son just got it and is at risk of losing all his 2nd year university projects due in the next week. Is there any solution including paying the ransom has anyone paid it and got their files unencrypted?
  • Harry on

    You are the most likely to get your files back once you pay. And even the FBI as well as cyber security companies suggest that it's the only way.
  • shane on

    As an It provider we have just paid the ransom for a client whos backups had not been working for several months, heart in mouth as after entering the transaction ID it went to status "pending" for about 30 mins before proceeding. But it then proceeded, and allowed me to download the decryper exe, which scanned and took a few hours but was flawless in execution.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.