Ransomware has become very frequent this year, and our malware researchers encounter more and more cases of cryptographic file-locking attacks. Easiness of deploying, the wide range of targets and clear business model are probably the main reasons for such popularity of this kind of malware among cyber criminals. Any company or organization is a potential target as it has been proven earlier this year when U.S. hospital computers and cancer treatment equipment were shut down due to ransomware. The malware infiltrated hospital network on early Feb 2016, and Medical Center forced to pay hackers 17K$ ransom for the decryption key. Some predict the cost of attacks to reach 1 billion$ by the end of 2016. This article describes the execution flow, from the website infection to fully encrypted computer file system which later results either in paying the decryption fees or computer re-installation unless you have proper website anti-malware tools in place.

Ransomware is a kind of malware which infection process comprises from encryption of all "user" files on underlying file system. The decryption of the infected files further requires payment of a fee to malware owner, mostly via bitcoin platforms, after which the infection victim receives decryption key to restoring all encrypted data. In most cases, infection by ransomware occurs via security vulnerability exploit targeting known (or zero-day) security vulnerability in one of software applications already installed on the victim computer.

Despite known definitions of security vulnerabilities, here we would define security vulnerability as a software bug allowing attackers to submit illegal data which further provides full control of the compromised application. In our case, vulnerable applications are web browsers and illegal input are specially crafted JavaScript files, flash files or images. When passed to the vulnerable application it facilitates full control of the internet browser by malware and infects other files on victim computer. Such kind of malignant input is also called a security vulnerability exploit. As its name implies, it utilizes security flaws to inject malicious code into the compromised application.

Exploit Kit is a web based application which operates similarly to any other website. Exploit Kit is used to perform the following:

1. - identify software applications (and their versions) installed on client side (victim computer)
2. - select vulnerabilities to exploit
3. - select most suitable vulnerability exploit to upload to the victim computer and
4. - finally select malware payload (the malware itself) which further will be used to infect victim computer

After all the steps above malware infection uploaded and executed on victim device. In the case of ransomware, infection is encryption of "user" files on compromised computer.

The infection path starts from visiting compromised website hosting malicious JavaScript (or Iframe) code which leads visitors to download other malicious components (JavaScript or Flash exploits) from the web server hosting Exploit Kit. Once vulnerability exploit uploaded and executed on the target computer, it downloads and passes control to the main malware which in our case is ransomware and finally encrypt files on the visitor’s device.

Following is an event diagram depicting this path:

1. - A website some[-]infected[-]website.com attacked by hackers and infected with a JavaScript or Iframe malware leading to Exploit Kit
2. - Visitor accesses some[-]infected[-]website.com
3. - Malware on some[-]infected[-]website.com provides Exploit Kit with the details on visitor's web browser
4. - Exploit Kit decides which exploit to upload to the victim site
5. - Selected vulnerability exploit uploaded (downloaded) to web browser
6. - Vulnerability exploit executes on victim computer and downloads payload malware (in this case ransomware)
7. - Ransomware malware runs on victim computer and infects (encrypts) the files

Another ransomware propagation vector utilizes Microsoft Office capabilities to execute macro scripts (or macros) to download and run ransomware on a victim’s computer without user’s knowledge. During typical malware cleanups, we detected mass mailers infection on numerous customers sites. The malware distributed emails either containing links to compromised websites or contained attached *.docx and *.docm documents which load triggered execution of a macro code leading to download and installation of the ransomware.

The most obvious would be to have the updated backup of the file system in place. Although storing the backup “offline” and accessible through the network will help in speeding up the restoration, in practice, this is not always feasible and does not provide the 100% success. The human factor is the most crucial when considering the proactive measures. Educate your personnel not to open suspicious e-mails (e-mails sent to business address from the outside source, e-mails sent to large recipients list, etc…), not to download images and other attachments from not secured resources, avoid visiting gambling, gaming and adult websites from within the company network. Knowing the difference of .docx and .docm can sometimes save the day: the .docx files will run on the computer with disabled macros while the .docm runs on the computer with enabled macro. If you’re using commercial Content Management Systems (CMS) - make it a policy always to keep your CMS up to date to reduce the vulnerabilities. Most of the exploits rely on exploiting CMS core files, themes, and plugins. To sum up, - when it comes to hacking prevention the investment in employee training, reliable web anti-malware services and security policies is the best you could do to avoid this and similar attacks.

This article/post shows how a simple visit to the infected website could result in ransomware infection and further hell to restore encrypted files or reinstallation of the infected computer.

Here at Quttera we are cleaning this and other kinds of malware on a daily basis. If you would like our malware analysts to help you, just select appropriate ThreatSign! Anti-Malware plan and get back online.

For other issues and help: Quttera help-desk