Cryptowall 4 ransomware now being spread in Nuclear Exploit Kit

Time for lock-down as ransomware attacks more than double in one year, according to Computing Research

Confirmation of Computing Research that indicates that ransomware is currently the fastest growing IT security threat has emerged with news that the Cryptowall 4 ransomware has been absorbed into the Nuclear Exploit Kit.

Until recently, according to SANS ISC handler and Rackspace security engineer Brad Duncan, the devastating Cryptowall ransomware malware has been spread almost entirely via malicious spam and phishing emails.

However, its incorporation into an exploit kit will now put it into the hands of many more threat actors - meaning that ransomware is now set to become even more widespread.

Ransomware is a form of malware which, when activated, encrypts part or all of a target's PC. The user is then required to pay a ransom, typically in bitcoin, in order to receive the decryption key. The attack is normally structured to make the attackers almost untraceable.

"I've always expected Cryptowall 4 to spread and replace Cryptowall 3 in all areas. I noticed the same thing when Cryptowall 2 replaced the original Cryptowall in 2014. It didn't happen immediately. It started with malicious spam and moved to exploit kits," Duncan told Threatpost.

He continued: "As criminals start delivering Cryptowall 4 through exploit kits, it won't immediately happen with all exploit kits at the same time. You'll start seeing it from one actor, then another, and another. At some point everyone will have moved to the new version."

According to Duncan, he observed an attacker working from a BizCN domain using switched IP addresses for their gate domains - intermediary servers between compromised websites and the server hosting the exploit kit.

This particular "threat actor", according to Duncan, uses the Nuclear Exploit Kit to deliver malware.

In a diary post on the ISC SANS website, he provided a deeper analysis of the threat: "Gate servers can check for operating system or browser type from the user agent string in the HTTP headers sent by a potential victim. Depending on the user agent string, the Gate server will respond accordingly.

"With the BizCN gates, when the operating system is not Windows, the gate server will respond with a ‘404 not found' - no need to waste resources on a host that's not vulnerable. If the user agent string shows a Windows host, the gate server will return a '200 OK', which will then generate traffic."

Duncan predicts the Cryptowall 4 ransomware to now quickly be absorbed into other widely used exploit kits, meaning that ransomware could become more pervasive than ever.

Computing Research into rising threats against UK organisations also highlighted the fast-growing threat of ransomware. The research was unveiled at yesterday's Computing Enterprise Security and Risk Management Summit 2015.