A new threat to your computers can be contracted simply by visiting certain high-profile sites.
Through a technique known as “malvertising,” banner ads are being used to spread a form of malware known as ransomware – in this case CryptoWall 2.0 – on such prominent Web sites as Yahoo, AOL, Match.com, the Atlantic and MajorLeagueBaseball.com. The web sites themselves aren’t to blame, but rather these virulent ads are processed through advertising networks, including Rubicon Project, OpenX and Right Media/Yahoo advertising, who have failed to carry out adequate checks for malicious content.
CryptoWall 2.0 encrypts all the files on the hard drive on a victim’s computer as well as any attached network drives, and if the victim doesn’t pay a ransom by a deadline, those files are lost. Frequently the only way someone will know that they have been infected will be telltale files in each directory titled “Decrypt_Instructions.” The latest version is memory resident, meaning that it never installs on the hard drive, but just runs in memory and disappears when the machine is shut down, but the encrypted files remain.
An estimated 3 million people have been exposed to the malvertisements since the campaign was first detected in mid-September. The CryptoWall criminals are earning an estimated $25,000 a day from this attack, using a complex bitcoin laundering method to hide their profits.
An estimated one billion Android smartphones and tablets may be the next target as a version of the ransomware goes on sale in underground web forums.
CryptoWall gets into the computer through a security vulnerability in Adobe Flash Player. Your options to protect your data are either to update to the latest version of Flash (see directions in a recent blog entry) or to remove Flash from your computer altogether.
Firefox offers a plug-in called Ghostery that blocks third-party ads and trackers from loading when a site is launched, and Chrome has a similar extension called AdRemover.
Also, always back up your data on an external hard drive, either of your own (that you disconnect after you back up, or is may get encrypted too) or a remote one (“the Cloud”).
If you are concerned that your system may be infected please submit a request at /support-request/ and we will be happy to help.