CryptoWall 2.0 Ransomware Targeting Popular Websites - How to, Technology and PC Security Forum |

CryptoWall 2.0 Ransomware Targeting Popular Websites

Weelsof RansomwareIt has been recently revealed that the CryptoWall 2.0 ransomware was a part of a huge malvertising campaign targeting popular websites like 9Gag, AOL, Yahoo, etc. Around three million users a day were exposed to the latest version of the file-encrypting malware.

Malvertising is not a really complicated practice. It involves a malicious advertisement inserted in an ad network that distributes it to client webpages. Users are usually presented with different ads depending on their interests and location, which makes the attack rather difficult to detect. What is concerning is the fact that the payload is funneled on the affected machine via drive-by download, without any visible sign of the webpage being compromised.

CryptoWall 2.0 Targeting Popular Websites

The targeted websites have a very high Alexa rank. The list of the compromised webpages contains 22 names so far. It is important to note that not the websites themselves, but the network pushing the advertisements is the one being compromised. According to the researchers’ estimate, the hackers have made about $25 000 in Bitcoins per day. The profit from the entire campaign is supposedly about $750, 000.

Three big as network members have been noted to deliver malvertisements to webpage publishers:

  • Rubicon Project
  • Open X
  • Right Media

In these cases the ad copies and images were stolen from the Web, experts say. There is no sign of any kind that the companies in question were involved in the campaign, or that their websites were compromised.

Researchers have discovered at least 84 variations of the CryptoWall ransomware since the beginning of the month.

A researcher with Palo Alto Networks reported that 85 000 attacks trying to deliver the ransomware have been recorded since CryptoWall 2.0 has been released. Most of them are delivered through emails with malicious attachments.

Multiple versions of CryptoWall have been detected recently. Some are delivered through the NuclearPack exploit kit, others via the FlashPack exploit kit. One of the variations is reportedly signed with a digital certificate from Comodo. In one of the most recent attacks, the ransomware was connected to four domains, all with a Russian IP address.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share