A deadly campaign delivers Pony info-stealer followed by Cryptowall ransomware
After the tech support scam paired with ransomware, another deadly combination has been seen targeting PC users: info-stealer coupled with ransomware.
According to Heimdal Security’s Andra Zaharia, this campaign is also executed with the help of an exploit kit.
“The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers,” she explained.
“The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.”
After that, the victims are directed towards legitimate sites compromised with those scripts, which then redirect them to a number of other compromised sites that host the Angler exploit kit – the most widely used exploit kit at the moment, due to its implementation of zero-day exploits and low detection rate.
If the EK succeeds in exploiting a vulnerability in the victims’ systems, it will install CryptoWall 4.0 on them, which will encrypt the victims’ files and hold them for ransom.
“The campaign is extensive and it originates from a bulletproof hosting environment located in Ukraine. More than 100 web pages in Denmark have been injected with the malicious script, but the campaign is not limited to Europe,” says Zaharia.
Users are advised to keep their system and software updated, and to use products that can detect and block recent ransomware. Also, not to follow links or download attachments contained in unsolicited emails and instant messages.
Still, the best thing for making sure that ransomware will never affect you much (even if it encrypts all your files) is to back up your data constantly and frequently, and keep the backup separate from your system. That way, even if you are hit with ransomware, the criminals can’t get the needed leverage to make you pay the ransom.