A new malvertising campaign from the AdGholas hacker group infects victims with ransomware, even if the victim takes no action other than viewing a particular advertisement. The revelation came as part of a Tuesday report released by security provider Proofpoint.
In explaining how the malvertising campaign works, Proofpoint researchers wrote that “there is no need to click on the advertisement to be infected. It is enough simply to display the ad: if the machine is vulnerable and targeted, then the infection occurs without any user interaction.”
The campaign first came to light, the report said, when a slew of universities in the UK fell victim to the scheme. As reported by ZDNet’s Danny Palmer, the attack didn’t just hit universities, as it was eventually found to have a much broader reach.
SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)
The AdGholas group is typically known for working with banking trojans, the report noted, so the use of a ransomware attack was unusual. The malvertising was then found to redirect to the Astrum Exploit Kit, also known as Stegano, which uses HTTPS to hide malicious traffic. Astrum accomplishes this through the use of a free HTTPS certificate and a shadow domain, a Trend Micro report said.
A CryptoMix ransomware known as Mole was used to lock up victim’s machines before demanding payment. Then, 0.5 Bitcoins ($1,314 at the time of this writing) are demanded as a ransom for the group to decrypt the locked files.
Ransomware has been around for some time, but it has grown rapidly since 2013. Recent attacks like WannaCry brought even more attention to this form of malware. There are a host of actions that users and organizations can take to protect themselves. Trend Micro recommends the following five steps:
- Patch your systems and keep them updated
- Secure your browsers from malicious websites
- Proactively monitor your network and endpoints
- Apply the principle of least privilege
- Foster a culture of cybersecurity
The 3 big takeaways for TechRepublic readers
- Proofpoint has linked a new malvertising campaign that infects users who simply view a certain webpage to the AdGholas group.
- The malvertising campaign utilizes the Astrum Exploit Kit and Mole ransomware, demanding 0.5 Bitcoin in exchange for releasing the victim’s files.
- Ransomware has been exploding since 2013, and users should take steps to protect their organizations from the threat.