Researchers have spotted several types of ransomware, including CryptXXX and a fairly new strain, Cryptobit, being pushed through the same shady series of domains.
The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.
In a post to the company’s blog on Wednesday, Sucuri CTO and founder Daniel Cid claimed the campaign was redirecting visitors first to the Neutrino Exploit Kit. If the kit was able to successfully exploit either a Flash or PDF reader vulnerability, it left them saddled with the ransomware du jour, CryptXXX.
Cid said a division of his company that helps identify and remove website infections has been monitoring the campaign for two weeks and that they’ve observed at least 2,000 sites affected by the campaign. He said the number of hacked sites may be upwards to five times that, given the team is only looking at sites that use the company’s scanner.
It’s unclear exactly how the attackers have been able to infiltrate both content management systems to spread the code. According to Sucuri, which performed a fingerprint of the affected sites, 60 percent are running either out of date Joomla! or WordPress builds, and 90 percent are running a CMS they were able to fingerprint, suggesting a common vulnerability, perhaps one already patched in an outdated plugin or extension used by sites, unites the two.
On Thursday, researcher Brad Duncan penned a blog for Palo Alto Networks, claiming he’d seen the same Realstatistics domain inject script into the page of a compromised site, spread the Rig Exploit Kit, and infect users with Cryptobit ransomware.
Like practically every strain of ransomware, Cryptobit urges victims to contact the cybercriminals in order to restore their files. The ransom note – which appears on victims’ desktops – doesn’t specify how much, or what denomination, to pay in order to get their files back however. Some of the first Cryptobit infections were discovered in April; at the time the ransomware was using both AES and RSA to encrypt files, something that makes it more difficult to decrypt the data.
Criminals were pushing Cryptobit hard for more than a week; Duncan said he spotted eight different samples of the ransomware variant pop up over the course of 10 days. The campaign shifted to distributing other malware at the end of June, however, he said.
Duncan told Threatpost Thursday that for instance he’s seen Gootkit, banking malware that steals credentials from infected machines, spreading via Neutrino from the campaign. Before Cryptobit, it was the ransomware Cerber, Duncan said, acknowledging that the campaign occasionally switches up which malware it distributes.
The criminals behind CryptXXX have kept busy adapting their ransomware in the face of rapidly changing detection signatures. While generating exploit kit traffic earlier this week Duncan noticed a Neutrino infection, triggered by a pseudoDarkleech campaign. In observing the ransomware, he discovered the criminals had tweaked both the ransom note and Tor payment site it uses.