Crypto Wall ransomware distributed in malicious advertisements

Cybercriminals have distributed Crypto Wall ransomware on popular websites using malicious advertisements. A novelty is that the download was signed with a digital certificate making it seems a legitimate application.



The advertisements were mainly shown on Indian websites and as soon as the advertisements were loaded they tried to exploit known browser and browser plugin vulnerabilities. The issue was discovered by the digital security company Barracuda Labs which doesn’t state which vulnerabilities were exploited.

Visitors of websites like Hindustan Times, Bollywood Hungama and Coding Forums with an outdated browser or browser plugin were infected with Crypto Wall, a ransomware variant that encrypts files.  Once Crypto Wall infects a computer it starts to encrypt files and demands a ransom in order to decrypt them. It’s estimated the ransomware has infected more than 625,000 machines and encrypted more than 5 billion files since its initial release.

The version distributed on the Indian website was signed with a valid certificate which has several benefits for cybercriminals. The download looks legitimate which gives users the impression they are installing a safe application, a valid certificate can also be used to circumvent security software and system security settings. When the ransomware hit the websites none of 55 virusscanner of the online scan service VirusTotal recognized the malware.