Security firm Damballa has discovered a conventional click-fraud botnet being used to distribute the CryptoWall ransom malware, an unusual but deadly integration between normally very different types of crimeware.
In its latest threat report, the firm reports tracking a clickfraud infection nicknamed ‘RuthlessTreeMafia’ it noticed on a customer network - in fact the Asprox botnet - which at first appeared to be nothing more sinister than an attempt to direct bogus traffic to a search engine.
However, after about an hour of intense activity, the infected system suddenly downloaded a new threat, dubbed ‘NorthBridgeClowns’ in Damballa-speak but more popularly known as CryptoWall. Within seconds, the PC’s system files and data were encrypted, rendering it unusable by its owner.
The attacks were dovetailed to work together with clickfraud continuing for an hour after CryptoWall had taken over the system. The total time from first infection to the point at which the attackers had turned low-level clickfraud into a full-blown ransom campaign: two hours.
From the outside, the mixing of two different forms of crimeware in one attack doesn’t sound that exceptional, indeed Trojan compromises often lead to other malware being downloaded to a system at a later point. The important issue is that clickfraud infections don’t normally come with such a severe sting in the tail. It would be more common for a botnet to continue exploiting the system until discovered and cleaned.
It also underlines how ransom criminals have diversified the ways they get their malware on to people’s systems. A simple clickfraud botnet compromise can now lead to a potentially serious ransom attack. “As demonstrated by the RuthlessTreeMafia example, hidden threats can arrive in sheep’s clothing,” noted Damballa’s researchers.
“As this report highlights, advanced malware can quickly mutate and it’s not just the initial infection vector that matters, it’s about understanding the chain of activity over time," added Damballa CTO, Stephen Newman.
"The intricacies of advanced infections mean that a seemingly low risk threat – in this case click fraud – can serve as the entry point for far more serious threats.”
This kind of campaign looks like a warning. CryptoWall has become the number one ransom malware menace of 2015 and can probably be considered on par with the infamous CryptoLocker of 2013 for sheer aggressiveness albeit that consumers and businesses are more aware of this type of threat than they were then.
Despite awareness, only last week, the FBI went to the effort of putting out a special warning about CryptoWall such as been its effect since it appeared in April 2014. The agency said that it had received 992 complaints from US consumers and businesses accounting for $18 million (£12 million) in losses.
“CryptoWall 3.0 is the most advanced crypto-ransom malware at the moment. The $18 million in losses is likely much more, as many companies do not report their infections to the FBI and the downtime caused by these infections is much higher,” commented Stu Sjouwerman of US-based security consultancy KnowBe4, which has made a specialty of cleaning up ransom threats.
“Additional damage is caused when a workstation is infected and has a mapped drive to a shared file server. At that point all the files are encrypted and a whole department is sitting on their hands. The impact to a business can be devastating,” said Sjouwerman.
Separately, an impromptu survey carried out by security firm ESET at the recent Infosecurity Show in London revealed that a third of the 200 UK security professionals it questioned had either been directly affected by ransomware or knew of someone that had.
A roughly equal percentage admitted that if their companies were infected by this form of malware, they would probably end up paying the ransom in the hope of retrieving data.