CryptXXX Ransomware Spread Further via SoakSoak Botnet

bot ddos

This year’s surge in CryptXXX ransomware infections was facilitated due to the SoakSoak botnet which has the automated ability to scan websites for vulnerabilities, researchers revealed.

The CryptXXX ransomware, a strain of ransomware malware that switched over from the Angler Exploit Kit to the Neutrino Exploit Kit, gained further legs after being facilitated by the SoakSoak botnet, which has been active since 2014.

Known for its ability to scan websites for vulnerabilities automatically, the botnet compromised over 100,000 WordPress self-hosted websites in a single day, via a vulnerable plugin, researchers at security firm Invincea wrote.

A staggering number of websites compromised by SoakSoak dispensing the CryptXXX ransomware via the Neutrino Exploit Kit can be found here.

An invincea researcher wrote at the time of discovery:

Now we are seeing business websites being compromised to deliver ransomware to anyone who visits their site. 

A typical process for ransomware delivery sees the SoakSoak botnet scan for vulnerable websites before a redirection script is embedded into a website that can be exploited. Users visiting the website are unwittingly victims to the Neutrino Exploit Kit, which then searches the end-user’s computer for security tools and debuggers at the endpoint. Security software that are scanned for include the likes of VMWare, Wireshark and ESET, among others.

If none of these are present, the CryptXXX ransomware payload is delivered and as the unfortunate victim soon finds out, the system’s hard drive becomes encrypted with ransomware. To regain access to his or her data, the user is then advised, with instructions, to pay a bitcoin ransom to regain access to files and data.

Invincea also revealed that SoakSoak targeted plugins such as Revslider to ultimately exploit WordPress content management websites, allowing attackers to append Revslider scripts.

With the next blog, LIFARS will detail how the Neutrino Exploit Kit spewing CrypMIC, another strain of ransomware malware that exposed over a million users to the risk of infection via a malvertising campaign, was shut down due to the efforts of security researchers.

Image credit: Botnet image from Wikipedia.