Initially, antivirus engines failed to detect the threat

Sep 29, 2014 23:53 GMT  ·  By

Five prominent websites have been found to redirect visitors to malicious locations through the advertisements they displayed, delivering a variant of the CryptoWall ransomware on the victims’ computers.

One of the interesting aspects is that the variant of the malware discovered by security researchers is apparently signed a few hours before the campaign was launched, with a valid digital certificate from Comodo, which makes it more difficult to detect on the affected system.

The malicious advertisements have been inserted via the Zedo ad network on the following websites: hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com.

Barracuda Labs spotted the malvertising campaign on Sunday evening, and at the time of discovery, the malware sample was not detected by any of the antivirus engines available on Google’s VirusTotal free scanning service.

However, at this moment, at least 12 out of the 55 security solutions available are able to spot the threat for what it really is.

“Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution,” says Paul Royal from Barracuda Labs.

CryptoWall has been designed to encrypt specific files on the compromised system and hold them hostage until their owner pays a ransom. The malware relies on public-key cryptography to lock up the data. Unless the encryption key is known, rescuing the files is impossible; restoring the information from a backup is the only reliable recovery method.

In order to discourage such malicious activity, security researchers advise against paying the ransom and strongly recommend users to make backup copies of the most important files.

[UPDATE, 10.03.2014]: An earlier version of the article said that a certificate from DigiCert was used for signing CryptoWall. A representative of the certificate provider contacted us on Friday to inform that the digital certificate used to sign the CryptoWall variant was issued by Comodo Certificate Authority, not by them.

The mistake originates from the source we used, where an image was posted revealing information from DigiCert’s timestamping service, which easily led to the erroneous conclusion that DigiCert was the actual issuer of the certificate used for signing the malware.