CryptoWall Malvertisments on Yahoo, AOL, Match.com and More

A string of reports released Thursday indicate that a very large CryptoWall malvertising campaign has been affecting a number of top websites for approximately the last month. Affected sites include, but are not limited to: AOL, The Atlantic, Match.com, and the Sports, Fantasy Sports, and Finance subdomains of Yahoo. Internet users who visited these domains within the last 30 days may have been exposed to malicious advertisements designed to automatically install the CryptoWall ransomware – no clicking required.

How do you get infected?

The malicious advertisements used in this campaign were designed to exploit unpatched vulnerabilities in Adobe Flash. These vulnerabilities allowed the cybercriminals to install CryptoWall onto victims’ computers. CryptoWall is a ransomware, designed to encrypt your files and demand payment for recovery. Ransom payments in this latest campaign were found to be anywhere from $200-$2000. In some instances, victims who chose not to pay eventually had their files permanently encrypted, after a preset time period passed. In all, researchers estimate that during the last 30 days close to 3 million Internet users per day were potentially exposed to this threat.

How do you remove CryptoWall?

There is currently no known way to decrypt CyrptoWall without paying the ransom,  and even this method does not guarantee recovery of files. If your computer has become infected with CryptoWall, Emsisoft does not recommend paying the ransom unless you absolutely must recover the files. Sometimes, partial recovery is possible. Instructions on how this works have been published by Bleeping Computer, and can be found here. Anyone who needs assistance walking through these instructions is encouraged to contact Emsisoft Support.

How can I prevent a ransomware infection?

Minimize Application Vulnerabilities

This latest campaign exemplifies the importance of minimizing application vulnerabilities. As stated above, users who visited affected websites did not need to click on the malicious advertisements to become infected – they simply needed to have vulnerable versions of Flash on their computer. For more information on how to get rid of application vulnerabilities, see the Emsisoft Security Knowledgebase.

Backup your most important files

Losing access to your business or family files can be devastating, but CryptoWall can be rendered irrelevant by regular file backups. If you do so, make sure to use an external device that you can disconnect from your computer after each backup. CryptoWall has been known to spread through local networks and even encrypt files that are auto-synced with cloud storage.

Invest in protection

For a fraction of the cost of ransom payment, using a proactive antimalware can also help. After a vulnerability is exploited, cybercriminals use it as an open doorway to serve malware to your computer. An antimalware, such as Emsisoft Anti-Malware or Emsisoft Internet Security, will prevent this from happening by either: blocking connection to the malicious download website cybercriminals try to use; preventing the malware from running through signature recognition; or preventing the malware from running through Behavior Blocking if no signature is found.

More information on CryptoWall

Unfortunately, this is not the first time CryptoWall has been served through malvertisements. In fact, the same thing just happened earlier this month and also in June. In all instances, cybercriminals are taking advantage of what is a complex, automated, and somewhat unregulated online advertising environment, to cash in. For more information on this problem, and a full list of websites affected by this latest string of CrytoWall malvertisements, see the ProofPoint blog.

Have a great (CryptoWall-free) day!