Your IT Consultant

Latest Ransomware Steals Passwords Before Encrypting Data

December 8, 2015

It keeps looking like we’ll never win the battle of technology. Once we think some bad stuff for our computers is under control, something else comes up. A recent attack is a novel variant of data encrypting ransomware. Heimdal Security has discovered a new drive-by campaign spreading CryptoWall 4.0 using the Angler Exploit Kit.

Basically, a visitor to a website compromised with the Angler Exploit kit starts the process. As an example, Ars technica reported that the Reader’s Digest website was actively infected by Angler. The first payload is Pony, which will harvest all passwords and usernames from the computer and send them to command and control servers. The second phase moves the user from the legitimate site (e.g. Reader’s Digest) to dedicated domains that drop the infamous Angler exploit kit. Once Angler loads, it scans for vulnerabilities in third-party software and insecure Windows processes. If Angler finds any vulnerabilities, it will cram CryptoWall ransomware to the computer, encrypting the user’s data.

There are products that will help prevent ransomware such as CryptoWall. Probably the worst part of this attack is the harvesting of authentication credentials. Besides practicing safe computing, the best way to protect from this attack is to make sure that you install all updates (Windows and application software) as soon as they are made available. That way Pony won’t steal your usernames and passwords.

E-mail:   Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com