Yahoo Advertising Spreads CryptoWall Ransomware

It's been reported that the latest release of CryptoWall is using Yahoo!'s advertising network to infect PCs with the CryptoWall ransomware. CryptoWall encrypts a victim's files using an OpenSSL-generated key and demands a ransom normally in the range of $300-$500 U.S. to undo the damage. It communicates with its controllers using RC4-encrypted messages hidden in the Tor network, reportedly.

 

Initially it spread by spamming email inboxes with "incoming fax" scans or links to files held in cloud storage that were booby-trapped with malicious code.  The malware then evolved to use corrupted web advertisements to spread across the internet.

Since the end of July, researchers tracked the spread of CryptoWall through online advertising networks. 

According to Blue Coat researchers, Yahoo!'s ad network is favored by the crooks because it has a huge reach – its ads appear on a large number of sites – and can therefore funnel more victims towards the infected web sites.

“What looked like a minor malvertising attack quickly became more significant as the cyber criminals were successfully able to gain the trust of the major ad networks like ads.yahoo.com,” Chris Larsen, a senior malware researcher at Blue Coat, explained in a statement.

“The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information." he continued.

Larsen later told The Register on Friday that "ads.yahoo.com was not among the sites directly connected to the CryptoWall-infected sites. It was, however, among the referrers to one of the malvertising sites that was directly connected."

As noted in earlier posts CryptoWall is a variant of the more well known ransomware CryptoLocker that generated over $30 million for it's creator in it's first 100 days of operation.