Threat Research

CryptoWall joins forces with click fraud botnet to infect individuals and businesses alike

Gracie Roberts, 3 July 2015

CryptoWall joins forces with click fraud botnet to infect individuals and businesses alike

Newest CryptoWall variant enters systems through a click fraud botnet. Newest CryptoWall variant enters systems through a click fraud botnet.

Earlier this year, we told you about the return of CryptoWall, malware that encrypts certain files in your computer and, once activated, demands a fine around $500 as a ransom to provide the decryption key. These kinds of financial fraud schemes target both individuals and businesses, are usually very successful and have a significant impact on victims. The problem begins when the victim clicks on an infected advertisement, email, or attachment, or visits an infected website.

Recently, a click fraud botnet with ties to CryptoWall has been discovered. The malware, nicknamed ‘RuthlessTreeMafia‘, has been being used to distribute CryptoWall ransomware. What first appears as an attempt to redirect user traffic to a search engine quickly mutates into an alarming threat as infected systems begin to download CryptoWall and system files and data become encrypted, rendering them useless by their owners. Click fraud and ransomware are two types of crimeware that are usually quite different from one another and typically don’t have many opportunities to join forces; therefore, the result of this unlikely yet powerful collaboration can be detrimental to its victims.

In a public service announcement issued on June 23, the FBI warns of the continued spread of this variant of CryptoWall that has the potential to affect not only individuals, but also government entities and businesses. The report reads:

"Many victims incur additional costs associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services, and/or the purchase of credit monitoring services for employees or customers. Between April 2014 and June 2015, the IC3 received 992 CryptoWall-related complaints, with victims reporting losses totaling over $18 million."

The uncovering of this most recent CryptoWall variant also goes to show just how creative cybercriminals can be when coming up with ways to get their malware onto people’s systems. A simple click fraud botnet compromise can now lead to a potentially serious ransom attack.

How to stay safe against infection

  • Go with your gut. Don’t click on any emails or attachments that appear as suspicious or unfamiliar to you.
  • Enable popup blockers. Popups are a popular way for hackers to spread malware. To eliminate the chance of accidentally clicking on a popup, it’s best to prevent them from appearing in the first place.
  • Educate employees about the dangers of malware. It’s crucial that SMBs teach their employees about the risks that malware pose to their business. Hold regular workshops to educate employees about common malware attacks, such as phishing emails, and how they can stay safe against them.
  • Always use antivirus software and a firewall. It’s crucial that you download and use antivirus software to best protect yourself against malicious attacks. For the highest level of protection, regularly make sure that your software is updated to the latest version.