New Signed Version of CryptoWall Ransomware On the Loose

Type threatpost
Reporter Dennis Fisher
Modified 2015-04-13T16:58:31


UPDATE–Researchers have discovered a variant of the CryptoWall ransomware that has a valid digital signature and is being distributed through malicious ads on several top-ranked Alexa Web sites.

CryptoWall is one of the more successful ransomware strains in recent memory, with researchers estimating last month that the malware had grossed more than $1 million for its creators. The ransomware typically is spread through a couple of vectors, one of which is exploit kits that attack browser vulnerabilities. The other is through spam campaigns that include malicious attachments. This most-recent campaign involves a series of popular sites that are serving malicious ads that infect machines with CryptoWall.

Researchers at Barracuda Labs discovered the campaign this week, finding that it affected five separate sites that use the Zedo ad network. The sites include hindustantimes[.]com, bollywoodhungama[.]com, one[.]co[.]il, codingforums[.]com, and mawdoo3[.]com. The attack serves browsers with some obfuscated Javascript that kicks off a series of redirections that eventually results in the browser hitting a site that serves the CryptoWall malware.


“Upon successful compromise, an instance of CryptoWall ransomware is installed on the victim’s system. The particular instance delivered via tonight’s campaign has a valid digital signature and appears to have been signed just hours before its distribution,” Paul Royal of Barracuda Labs said in an analysis of the new variant.

The new CryptoWall variant is signed with a certificate issued by Comodo and includes a timestamp that shows that it was signed on Sunday, shortly before Barracuda Labs discovered it.

This story was updated on Oct. 3 to reflect that the malware is signed by a certificate from Comodo.