What happens when a virulent ransomware worm turns to malicious ads as the main infection vector?
Unless you’ve been on vacation, you are already aware of Wannacry, the ransomware attack that spread around the world at breakneck speed and caused major chaos at businesses including Telefonica in Spain, Megafon in Russia, the National Health Service in the U.K, and FedEx in the United States.
Screenshot Below
The Ransomware ‘WannnaCry’
Wannacry confirmed as the largest ransomware attack in history, combined the use of publicly available exploits with worm-spreading functionality to infect hundreds of thousands of Windows computers around the world.
The initial infection vector is still unknown but security experts believe it could have been done via drive-by downloads (malicious links on a site) or via e-mail phishing.
This attack was particularly virulent because it was built to infect unpatched Windows machines inside a local network. The worm works by scanning Local Access Network IP addresses looking for open SMB/445 port. When an open port is found, it delivers a publicly known exploit to continue the propagation.
MalwareTech map
How It was Contained
For the most part, the attack was contained because of what appears to be a mistake in the code that allowed independent researchers to register domains that acted as kill switches.
This helped to buy some time for Windows users to apply the MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) update to block the attacks.
Copycats Abound
However, security experts are warning that things will get worse, especially for online publishers that rely on third-party ad serving technology to handle rich media advertising on high-profile websites.
We are already seeing signs of copycats using the WannaCry infection and spreading mechanisms to launch new ransomware attacks. There is a strong likelihood that the same exploitation techniques will be used in malvertising (malicious advertising) attacks.
As we have reported in the past, cybercriminals are already using online advertisements as a distribution mechanism for these types of attacks that infect computers and encrypt files, folders and important documents and demand ransom payments for file recovery keys.
It is only a matter of time before ad-serving networks are under siege and online advertising is being used to redirect users to malicious sites or hijack the user’s connection to serve malware from exploit kits.
A Compromised Ad Ecosystem
Late last year, several publishers including the New York Times, AOL, MSN and the BBC had their ad-serving technologies hijacked simultaneously pushing poisoned ads to infect web surfers with ransomware. In those attacks, the publisher’s automated ad network was compromised to display malware-laced banner ads that automatically redirected to two malvertising servers, the second of which delivered a well-known exploit kit known as Angler.
The Angler kit is fitted with exploits for known vulnerabilities in dozens of software including web browsers, Adobe Reader, Adobe Flash and Microsoft Silverlight. As WannaCry proved, Windows users are extremely slow to apply patches and the public availability of newer exploits means that these exploit kits will be updated immediately to cause the most damage.
How to Protect Yourself & Your Users
Instead of waiting for the worst, publishers and networks should use specialized ad security and verification tools to maintain the sterility of the advertising served on their web pages. GeoEdge can automatically spot signs of suspicious activity and block malicious ads before they do damage to your users. Ask GeoEdge how we can help keep your site and users safe.
In addition, GeoEdge recommends that Windows users do the following:
• Immediately apply the patches available in Microsoft’s MS17-010 security bulletin. The attacks have been seen on all newer versions of Windows (especially Windows 7) so it’s mandatory that these patches are applied with the highest priority.
• Use firewalls to block TCP/445 traffic from untrusted systems and block 445 inbounds to all internet-facing Windows systems.
• Be sure to back up all sensitive files and folders and store those back-ups offline. In the event of a ransomware infection, backups are the only foolproof way to recover without paying hefty ransoms.