RIG Exploit Kit Pushing Cryptowall Ransomware

The RIG Exploit Kit is using malvertising to infect victims with Cryptowall ransomware, including one tiny New Hampshire town that proved backup is king when confronting ransomware.

With Cryptolocker quite possibly on its way to becoming yesterday’s ransomware news after the successful takedown of part of its distribution infrastructure, alternatives are already available.

Cryptowall is the latest to grab some attention and traction on victimized computers. Cisco reported on Friday that the RIG Exploit Kit is spreading Cryptowall, which like Cryptolocker, encrypts hard drives until a ransom is paid by a certain deadline. The hackers threaten the victims that their encryption key will be destroyed if the ransom is not paid and the encrypted data will be irretrievably lost.

RIG popped up in April and peaked in May. The exploit kit uses malvertising to infect victims, even those visiting popular and legitimate websites. While most of the exploits served up in the kit are for Flash, Microsoft Silverlight exploits are growing while Java exploits are dipping.

Victims are instructed to pay anywhere between $300 and $600 to get their data back and are told to follow a link to a personalized page where they pay their ransom, or should that fail, to download the Tor browser and type in a .onion link where further payment instructions await.

“This threat should be taken seriously — other ransomware has been known to make good on its warnings of data loss,” said Technical Leader, Threat Research Analysis and Communications at Cisco, Levi Gundert. “Ransomware has proved to be a very successful form of extortion and we are likely to see new variants on the Cryptolocker theme for quite some time.”

The town of Durham, N.H., recovered from a Cryptowall infection last night after an officer at the Durham Police Department last Thursday followed a link in an email and infected a number of machines forcing the town to take the systems offline and restore them from backup.

Town administrator Todd Selig told Threatpost that paying the ransom was not a consideration.

“We do regular backups of all our systems on a daily basis and they’re stored offsite, so we knew we had an intact backup. From our point of view, the ransom line of thinking was irrelevant,” Selig said. “We knew we could restore the system. It was a matter of time before we were able to isolate the virus, eradicate it from the police department systems and then restore the systems with our backup.”

Durham has a fulltime MIS person on staff, Luke Vincent, and contracts out with several technology companies for support, Selig said. He said that by Friday, the outbreak had been contained and by Sunday night, backup data had been directly transferred from portable hard drives to the affected system.

Selig said the email the officer received appeared to be from a trusted source.

Selig said the email the officer received appeared to be from a trusted source.

“It was similar to something the officer was expecting to receive,” Selig said. “It appears to have been a fishing expedition and the virus had infiltrated this person’s machine.

“We were really fortunate to have the foresight to have reliable backups,” Selig said. “This reinforced how valuable backup was.”

Now that Cryptowall has been integrated into an exploit kit that’s taking advantage of the frailty of ad networks, expect copycats.

Cisco said about half of the requests for RIG landing pages came from the host, ads1[.]solocpm[.]com, and of these, 90 were redirects from adnxs[.]com domains. By analyzing referrer fields, Cisco said that popular sites such as altervista.org, apps.facebook.com and ebay.in could be hosting malicious RIG ads. Some of the malicious domains are also running on WordPress, but those domains likely fell victim to brute force attacks rather than an exploit of a vulnerability.

“Using existing legitimate sites to host the EK alleviates the need to create and maintain a dedicated domain infrastructure, and mitigates some of the problems associated with doing so: registering new domains, randomizing naming, using multiple email addresses, etc., in order to avoid easy attribution,” Gundert said.

The growth of Silverlight exploits also merits watching. Netflix runs on the streaming media plug-in and with its growing popularity, hackers have taken notice and are adapting exploits for it. Cisco said that while 48 percent of the exploits delivered by RIG are for Flash, 30 percent target Silverlight vulnerabilities while 13 percent are Java exploits.

In the meantime, victims such as tiny Durham, N.H.’s police department show that backup is king when it comes to combatting ransomware.

“When it comes to dealing with ransomware the best advice is to be proactive: maintain regular and full backups incase the worst should happen,” Gundert said. “But it bears remembering that however malicious the payload an EK happens to be armed with, it is still only as good as its exploits. Regularly updated and patched machines which do not have rich media platforms such as Flash and Silverlight enabled remain relatively immune from these kinds of attacks.”

Photo courtesy Todd Selig, Town Administrator, Durham, N.H.

Suggested articles