Troublesome Cryptowall Ransomware Spotted in the Menacing Nuclear Exploit Kit


Cryptowall 4.0, the latest variant of arguably the world’s most annoying and intrusive ransomware has now surfaced in the Nuclear exploit kit, an equally dangerous exploit kit available in the underground marketplace.

Exploit kits are typically available for sale in the underground marketplace for hacking into computers. Ransomware is arguably the most effective malware strain in its destructive potential, rendering files on a victim’s computer unusable unless a ransom is paid in exchange for the cryptographic keys required to gain access to those files again.

It was only a matter of time before the two were sandwiched together by malicious hackers and cybercriminals.

Cryptowall is the most widely-seen family of ransomware, raking in hundreds of millions in revenue by targeting thousands of unsuspecting victims in recent years.

The ransomware received an update in the beginning of October. Cryptowall 4.0 now sees ‘improved code design’ to inflict further damage with its ability to sniff out more vulnerabilities.

The Cryptowall ransomware strain typically sees distribution via phishing emails and malicious spam. However, the latest update will now see the ransomware included as a part of the Nuclear Exploit Kit, revealed researchers at the SANS Internet Storm Center (ISC).

Security researcher Brad Duncan wrote:

[A] s early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK).  Until now, I’ve only associated CryptoWall 4.0 with malicious spam (malspam).  This is the first time I’ve noticed CryptoWall 4.0 sent by an EK.

The researcher, who has long kept tabs on the ransomware, determined that a cybercriminal working off the domains owned by Chinese domain registrar BizCN has been dispersing the ransomware through the exploit kit.

He added:

Since this information is now public, the BizCN gate actor may change tactics.  However, unless this actor initiates a drastic change, it can always be found again.  I (and other security professionals) will continue to track the BizCN gate actor. 

LIFARS recommends readers avoid paying ransomware since there is no guarantee that a payment sees the delivery of decryption keys. Furthermore, money given to a criminal enterprise could very well facilitate in further criminal activity.

The practice of regular offline backups of data is highly recommended.

Image credit: Flickr.