ALERT: Ads on Disney, Facebook, Guardian Lead to Ransomware

blog_disneyMalware Alert: Malicious advertisements hosted on domains owned by Disney, Facebook, and The Guardian have been leading people to hacked websites that serve a file-encrypting ransomware called Cryptowall.

How to Avoid Infection

Malicious advertisements, or “malvertisements,” are banner or side window ads hosted on legitimate websites, which, when clicked, lead users to a malicious website where they will become infected with malware.

This recent malvertising campaign affects many domains owned by many major companies, including:

  • apps.facebook.com
  • www.theguardian.com
  • go.com (owned by Disney)

If you click on a malvertisement hosted on one of these websites – and you are not running a comprehensive anti-malware – you will be led to a hacked WordPress website designed to automatically infect your computer with the Cryptowall ransomware.  Cryptowall will then encrypt your computer’s files and demand payment for recovery.

At present, the best way to avoid infection is to avoid clicking ads hosted on affected websites until the matter is officially resolved. A full list of websites impacted by this campaign can be viewed here.

More Details on this Threat

This latest malvertisement campaign was spotted when Cisco Systems noticed some unusual behavior on systems running their CWS product. Cisco has produced a detailed technical analysis of the campaign and its discovery here.

Anyone running Emsisoft Anti-Malware or Emsisoft Internet Security is automatically protected from the Cryptowall ransomware served in this malvertising campaign. Anyone who thinks they may be infected by Cryptowall can contact Emsisoft Support for help. Our malware removal services are always free, even if you’re not an Emsisoft customer yet.

Finally, because Cryptowall is a ransomware, there is no guarantee for file recovery if your files have been encrypted. For this reason, you should only consider paying the ransom if you absolutely must regain access to the files.

Have a Great (Malware-Free) Day!

  • Mike Southern

    Is there a series of filenames that CryptoWall installs under? I’m assuming, if found, it doesn’t simple appear as a file called “cryptowall” … thanks for your work