DRIVE-BY —

New ransomware campaign pilfers passwords before encrypting gigabytes of data

Surreptitious attacks often prey on people visiting legitimate sites.

A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.

The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:

The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.

The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.

In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop the infamous Angler exploit kit.

The Angler exploit kit will then scan for vulnerabilities in popular third-party software and in insecure Microsoft Windows processes, if the system hasn’t been updated. Once the security holes are identified, Angler will exploit them and force-feed CryptoWall 4.0 into the victim’s system.

To consider just how insidious attacks like these are, consider this: earlier this week, Ars reported that the Reader's Digest website was actively infected by Angler. A reader promptly replied that someone in his organization had visited the site in early November—four weeks before the article was published—and was infected by CryptoWall after reading an article. The target's only mistake, it seems, was failing to update one of several apps.

Reader's Digest told Ars that it has disinfected Angler from its servers, but it has yet to explain how the exploit got there in the first place—or why it remained there for so long. (For the record, Heimdal Security reported that the campaign it observed installed CryptoWall 4.0, while the Ars reader said version 3.0 was installed. It's not clear if these are separate campaigns or if the difference is the result of discrepancies in the way versions are tracked.)

Crypto ransomware came to the world's attention in the second half of 2013 with malware calling itself CryptoLocker. Since then, there have been a dozen or so copycat titles and a steady stream of refinements to further befuddle targets. People should be sure to keep operating systems, browsers, and browser plugins updated with the latest security patches and strongly consider uninstalling Flash and Java.

Post updated to change headline.

Channel Ars Technica