Nuclear Exploit Kits Spreading CryptoWall
Posted by: Timothy Weaver on 11/26/2015 10:00 AM
[
Comments
]
Exploit kits are the new delivery system for the CryptoWall ransomware.
According to SANS ISC handler and Rackspace security engineer Brad Duncan, an attacker working off domains belonging to Chinese registrar BizCN has been moving the ransomware via the Nuclear Exploit Kit.
Duncan told Threatpost: “I’ve always expected 4.0 to spread and replace CryptoWall 3.0 in all areas. I noticed the same thing when CryptoWall 2.0 replaced the original CryptoWall in 2014. It didn’t happen immediately. It started with malicious spam and moved to exploit kits. As criminals start delivering CryptoWall 4.0 through exploit kits, it won’t immediately happen with all exploit kits at the same time. You’ll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version.”
The move to Nuclear, Duncan said, won’t be exclusive; he expects other exploit kits, including Angler, to eventually redirect compromised sites their way. However, Duncan still expects the hackers will continue to use spam as an effective way to deliver the malware.
“They’re not moving from spam. We’ll still see CryptoWall 4.0 from malicious spam, even as we start seeing it more from exploit kits. This is just version 4.0 spreading and replacing version 3,” Duncan said. “Some criminal groups focus on malicious spam. Other groups use exploit kits.”
Researchers at Bleeping Computer said the biggest change is that the ransomware now encrypts file names, in addition to data.
Source: ThreatPost
According to SANS ISC handler and Rackspace security engineer Brad Duncan, an attacker working off domains belonging to Chinese registrar BizCN has been moving the ransomware via the Nuclear Exploit Kit.Duncan told Threatpost: “I’ve always expected 4.0 to spread and replace CryptoWall 3.0 in all areas. I noticed the same thing when CryptoWall 2.0 replaced the original CryptoWall in 2014. It didn’t happen immediately. It started with malicious spam and moved to exploit kits. As criminals start delivering CryptoWall 4.0 through exploit kits, it won’t immediately happen with all exploit kits at the same time. You’ll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version.”
The move to Nuclear, Duncan said, won’t be exclusive; he expects other exploit kits, including Angler, to eventually redirect compromised sites their way. However, Duncan still expects the hackers will continue to use spam as an effective way to deliver the malware.
“They’re not moving from spam. We’ll still see CryptoWall 4.0 from malicious spam, even as we start seeing it more from exploit kits. This is just version 4.0 spreading and replacing version 3,” Duncan said. “Some criminal groups focus on malicious spam. Other groups use exploit kits.”
Researchers at Bleeping Computer said the biggest change is that the ransomware now encrypts file names, in addition to data.
Source: ThreatPost
Comments
