October 31, 2016 by

Troublesome Cryptowall Ransomware Spotted in the Menacing Nuclear Exploit Kit

Cryptowall 4.0, the latest variant of arguably the world’s most annoying and intrusive ransomware has now surfaced in the Nuclear exploit kit, an equally dangerous exploit kit available in the underground marketplace.

Exploit kits are typically available for sale in the underground marketplace for hacking into computers. Ransomware is arguably the most effective malware strain in its destructive potential, rendering files on a victim’s computer unusable unless a ransom is paid in exchange for the cryptographic keys required to gain access to those files again.

It was only a matter of time before the two were sandwiched together by malicious hackers and cybercriminals.

Cryptowall is the most widely-seen family of ransomware, raking in hundreds of millions in revenue by targeting thousands of unsuspecting victims in recent years.

The ransomware received an update in the beginning of October. Cryptowall 4.0 now sees ‘improved code design’ to inflict further damage with its ability to sniff out more vulnerabilities.

The Cryptowall ransomware strain typically sees distribution via phishing emails and malicious spam. However, the latest update will now see the ransomware included as a part of the Nuclear Exploit Kit, revealed researchers at the SANS Internet Storm Center (ISC).

Security researcher Brad Duncan wrote:

[A] s early as Friday 2015-11-20, this actor started sending CryptoWall 4.0 as one of its malware payloads from the Nuclear exploit kit (EK).  Until now, I’ve only associated CryptoWall 4.0 with malicious spam (malspam).  This is the first time I’ve noticed CryptoWall 4.0 sent by an EK.

The researcher, who has long kept tabs on the ransomware, determined that a cybercriminal working off the domains owned by Chinese domain registrar BizCN has been dispersing the ransomware through the exploit kit.

He added:

Since this information is now public, the BizCN gate actor may change tactics.  However, unless this actor initiates a drastic change, it can always be found again.  I (and other security professionals) will continue to track the BizCN gate actor. 

LIFARS recommends readers avoid paying ransomware since there is no guarantee that a payment sees the delivery of decryption keys. Furthermore, money given to a criminal enterprise could very well facilitate in further criminal activity.

The practice of regular offline backups of data is highly recommended.

Image credit: Flickr.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

CryptoWall Surpassing Expectations: Victims Paying Up to $2000 to Get Files Back

You might have heard about the infamous ransomware CryptoLocker. It was something of a prototype for...

Read more arrow_forward

How Google's DoubleClick Ads Infected Millions with Malware

Millions affected in Google-distributed malware.

Read more arrow_forward