A new cybercrime campaign targets hacked websites to distribute ransomware known as PrincessLocker via drive-by downloads, according to research from Malwarebytes.
The campaign leverages compromised websites and the commonly-used RIG exploit kit to deliver PrincessLocker, also known as Princess, Jérôme Segura, lead malware intelligence analyst at Malwarebytes, wrote in a post.
PrincessLocker shares the same template for the Onion page with popular ransomware variant Cerber; however, their internal codes are very different, Malwarebytes noted in a past analysis. PrincessLocker is a more simple form of ransomware, and it's possible that its creators are not as experienced, the researchers wrote.
It's rare to see compromised websites pushing exploit kits at this point in time, as many campaigns have been replaced with tech support scams. Most drive-by activity seen today comes from legitimate publishers and malvertising, Segura noted in the post.
But in this campaign, criminals inject an iframe, which redirects from the hacked site to a temporary gate. The call to the RIG exploit kit landing page is done via a standard 302 redirect, Malwarebytes said, that leads to one of several Internet Explorer (CVE-2013-2551, CVE-2014-6332, CVE-2015-2419, CVE-2016-0189) or Flash Player (CVE-2015-8651) vulnerabilities.
Once the site is exploited, RIG can download and run PrincessLocker. The victim's ransom note, called _USE_TO_REPAIR_[a-zA-Z0-9].html, will appear on the screen with several links leading to decryption instructions and a payment page.
Victims are then asked for an initial payment of 0.0770 Bitcoins, or about $367, to decrypt their files. The attacks say that this is a "special price" that is only available for seven days. After that point, the ransom rises to 0.1540 Bitcoins, or about $738.
"The exploit kit landscape is not what it was a year ago, but we may be remiss to disregard drive-by download attacks completely," Segura wrote. "Malvertising is still thriving and we are noticing increased activity and changes with existing threat actors and newcomers."
As ZDNet's Danny Palmer reported, the best way to avoid PrincessLocker is to ensure that all critical vulnerabilities exploited by the kit are patched. These patches have been available for more than two years, and it's key to update your machine if you need to, Palmer said.
For more tips on how to avoid and mitigate ransomware attacks, click here.
The 3 big takeaways for TechRepublic readers
1. A new cybercrime campaign leverages compromised websites and the commonly-used RIG exploit kit to deliver PrincessLocker via drive-by downloads, according to a new report from Malwarebytes.
2. Once a victim's machine is infected, the criminals demand a ransom of 0.0770 Bitcoins, or about $367, to decrypt their files.
3. The best way to avoid PrincessLocker is to ensure all critical vulnerabilities exploited by the RIG kit are patched.
- Massive Locky ransomware campaign sends 23M messages in 24 hours (TechRepublic)
- Princess ransomware makes a visit to the wrong website a royal mistake (ZDNet)
- Ransomware incidents surge, education a hot bed for data breaches, according to Verizon (ZDNet)
- Why SMBs are at high risk for ransomware attacks, and how they can protect themselves (TechRepublic)
- Cybersecurity: Two-thirds of CIOs say threats increasing, cite growth of ransomware (TechRepublic)
- Information Security Management Fundamentals (TechRepublic Academy)