The ransomware was discovered by security researchers at Trustwave. It discovered the network of “malvertising” after noticing that several of its products were detecting a suspicious-looking file being downloaded by major news sites.
The file was hosted by a server at “brentsmedia.com.” It redirected the web browser several times to try to hide its tracks, eventually downloading a 12,000 line JavaScript file that checks to see if popular security tools are installed. If it finds the user’s computer is at risk, it downloads the popular Angular exploit kit and injects it into the webpage, providing the ransomware’s creators with the ability to lock the computer user’s files.
Trustwave looked at the ownership history of brentsmedia.com, discovering it has only recently changed hands. Its previous owner, a legitimate advertising company called BrentsMedia, failed to renew its contract in January, putting the domain up for public sale.
It was reregistered on March 6 under the name of a “Pavel G Astahov.” It appears the new owners are trying to use the reputation of BrentsMedia to infiltrate ad providers and force websites to host malicious content.
The infected ads were delivered through “at least” two networks used by some of the world’s largest websites. Trustwave commended adnxs for their quick response to the issue, blacklisting the adverts within an hour of being contacted. A second provider, taggify, had not replied by the time Trustwave publicly detailed the issue on March 14.
This attack is more sophisticated than other malvertising campaigns, according to Trustwave. “These days we’re practically used to the “standard” Malvertising campaigns where the placement of malicious advertisements on known ad provider networks leads potential victims to an exploit kits’ landing page,” the firm wrote in a blog post.
“This time it seems that an experienced actor has acquired an expired domain of a small but probably legitimate advertising company in order to utilize this for malicious purposes. This provides them with high quality traffic from popular web sites that publish their ads directly, or as affiliates of other ad networks, which our research has shown to lead to the Angler EK.”
With sites including the BBC, The New York Times and Microsoft’s news aggregator MSN infected, the hackers may have successfully attacked several users during the course of the campaign. Users will not have installed the ransomware unless they clicked on one of the malicious adverts.
The news sites aren’t to blame for the issue as they weren’t directly infected. The publishers have no control over the ads displayed on their site, making it possible for malicious banners to slip through the net to big-name websites. Cases such as this strengthen the argument of people who advocate using ad blockers to avoid all ads. Exploited adverts can quietly infect users for weeks before they are detected and banned, making even reputable websites a potentially dangerous place.