Malvertising and Ransomware

Six questions about ransomware and malvertising with AdSecure’s Product Manager Mathieu Derval.

What role does phishing play in ransomware attacks?

Phishing is probably one of the most popular social engineering types of attack.  The objective is to trick someone into clicking on a link contained within a message that looks like it comes from a well-known/genuine company (often including a copycat logo) and then the user is tricked either stole sensitive information (login, password or other) through a fake online form which seems to be legit, or in other cases, download infected files that executes as soon as the user open it, encrypting their data and asking for a ransom.

From an ad verification solution point of view, phishing is indeed an important vector of ransomware spreading. Malvertising campaigns are crafted by cybercriminals to lure victims to click on ads or links in websites that will redirect them to other websites hosting exploit kits designed to use vulnerabilities in web browsers or plugins on the visitor’s computers to install and execute ransomware.

How serious a threat is ransomware?

Apart from traditional spam distribution, ad networks and publishers may often act unwittingly as intermediaries, targeting thousands or even millions of potential victims. The standard way for attackers to spread malware is to disguise their ads and hide them in the latest multimedia software, free antivirus or even security utilities, when in reality these are malicious products. These kinds of ads are often designed to cause shock or anxiety and entice visitors to click on them. The second way, commonly known as a drive-by attack, is when visitors go to websites that happen to have malicious ads placed upon them. A script hidden in an infected ad will run in the background and look for vulnerabilities on the user’s computer so it can quietly download and execute a malicious application such as ransomware.

What are the best ways to prevent a ransomware attack?

– Do not open any emails from untrusted sources.

– Update your browser to the latest available version – Some malvertising attacks exploit security holes directly in the browsers.

– Keep your plugins updated and disable or uninstall the ones you don’t frequently use, including java.

– Patch your operating system – Install security updates and update your operating system every time a patch comes around to reduce your exposure to zero-day based attacks.

– Get a good anti-virus/anti-malware – Run regular scans of your computer and make sure it is always updated.

– When using your mobile, only installs apps from original app stores and try to run background checks before installing any suspicious apps.

– Ad platforms and publishers have to constantly monitor their ads thanks to ad verification tool, especially after the campaigns are live since attackers can enable the malicious payload only once the ad has been approved by the ad network. This is where solutions like AdSecure come into play: by allowing ad platforms and publishers to automate scanning of their offers or ad zones at regular intervals from multiple locations and devices. As soon as any abnormal behavior is detected an email notification is immediately sent to the ad platform/publisher giving them access to a comprehensive report containing the entire ad redirect chain and creative sources.

How can an active ransomware attack be contained?

For the ad platforms, the challenge lies into being capable of detecting and identifying the malicious campaign while it is active (which usually varies between a few hours and a couple of days so that criminals can try to ensure that it remains undetected). For this reason ad platforms need to monitor and scan the offers running on their network continuously to be able to stop the propagation as soon as possible.

Does it ever make sense to pay a ransom?

This criminal business model has proven to be very lucrative given the vast and varied potential of victims. Law enforcement officials discourage victims from paying ransoms, there is no guarantee whatsoever that your files will be accessible again after you pay the ransom. Yet, many will come down to pay those ransoms in the hope of getting their files back. This decision should be the last resort, in case all other alternatives failed (no offline backup available to recover the encrypted files or no free decryption tool available). As long as individuals and organizations will continue to pay ransoms, we can’t expect to see this criminal scheme to disappear.

How is ransomware likely to evolve over the next few years?

Even if during the last few months Crypto-Mining attacks have been center stage and that cybercriminals are increasingly embracing this new form of making money from the internet, Ransomware attacks will probably continue to increase and to evolve in the next years: the threat landscape will see more and more well organized and well-funded groups that will employ technical tools or software vulnerabilities, such as the exploit EternalBlue used with the Wannacry attack in may 2017, but also social engineering skills to access computer systems and network. At the same time, we can expect Ransomware-as-a-service to become more accessible cybercriminals will expand their target not only financial objectives, but also political and strategic interests, with intend to cause damages and not only extortion.

AdSecure provides next-gen defenses that protect publishers and ad platforms against a wide range of attacks in real-time including cryptojacking. To test how AdSecure can help your organization detect, investigate, and respond to advanced malvertising attacks, sign up for a free trial.

Recommended Posts