When I speak to computer users about the worst malware threats they’ve encountered, many seem particularly rattled by ransomware.
In CryptoLocker’s case there’s some good news. A free decryption service was recently launched by FireEye and Fox-IT to help you recover your files after you’re hit by that ransomware strain.
But in the case of other attacks like CryptoWall it will often be too late, as a message displayed by the malware itself makes all too clear:
What happened to your files?
All of your files were protected by a strong encryption with RSA-2048 using CryptoWall. More information about the encryption keys using RSA-2048 can be found here: en.wikipedia.org/wiki/RSA_(crypto system)
What does this mean?
This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them, it is the same thing as losing them forever, but with our help, you can restore them.
How did this happen?
Especially for you, on our server was generated the secret key pair RSA-2048 – public and private. All your files were encrypted with the public key, which has been transferred to your computer via the Internet. Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.
What do I do?
Alas, if you do not take the necessary measures for the specified time then the conditions for obtaining the private key will be changed. If you really value your data, then we suggest you do not waste valuable time searching for the solutions because they do not exist.
By the time you see this message, the CryptoWall malware has already encrypted your files and – unless you have a clean backup – you probably won’t be able to get your files back without paying up.
Now security researchers at Blue Coat say that they have seen CryptoWall being spread via ads.yahoo.com – a major online advertising network run by, yes you guessed it, Yahoo.
Innocent computer users click on an advert served up by ad networks, which takes their browser leapfrogging from website to website, until they eventually arrive at a server containing an exploit kit designed to infect the PC with CryptoWall.
“What looked like a minor malvertising attack quickly became more significant as the cybercriminals were successfully able to gain the trust of the major ad networks like ads.yahoo.com,” said Chris Larsen of Blue Coat Systems. “The interconnected nature of ad servers and the ease with which would-be-attackers can build trust to deliver malicious ads points to a broken security model that leaves users exposed to the types of ransomware and other malware that can steal personal, financial and credential information.”
Obviously it’s important to keep your computer protected with anti-virus software and web-filters, and ensure it is up-to-date and fresh with the latest security patches to reduce the chance of it carrying a vulnerability that can be exploited.
But another potential way to protect yourself is to install an ad blocker like AdBlock Plus in your browser so you don’t see any ads in the first place.
Of course, such an approach doesn’t necessarily help ad-supported websites, and means that you won’t see the vast majority of ads that are not designed to infect you.
This isn’t the first time that Yahoo’s ads have been tainted by the stench of malvertising.
In January, for instance, Fox IT reported that visitors to Yahoo’s website were bombarded with malicious adverts that attempted to infect computers with a wide array of financially-motivated malware.
Later in the same month, there were claims made that Bitcoin-mining malware had been spread via Yahoo ads.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.