Ransomware Spreads Online via Website of Security Certification Provider

ec-council-hackFor the past four days, security certification provider EC-Council has been observed redirecting visitors towards a page with the Angler exploit kit, which drops TeslaCrypt ransomware onto the victim's machine. According to threat intelligence expert Yonathan Klijnsma, the dangerous Angler exploit kit was seen distributing ransomware to Internet Explorer users since Monday.

Klijnsma reports that the redirects may have been around longer than suspected. Based on his analysis, the Angler exploit kit runs when these specific conditions are met: when the visitor uses Microsoft Internet Explorer browser, when the user comes from a search engine such as Google or Bing, and when the user uses an IP address that is not blacklisted or coming from a blocked geolocation as the inject avoids certain countries—especially if the cybercriminals behind the attack could possibly be incriminated.

Various popular websites continue to serve malicious advertisements that deliver exploit kits, resulting in millions of affected users. Klijnsma writes “Once the user has jumped through all the redirects, he/she ends up on the Angler exploit kit landing page from which the browser, Flash Player plugin or Silverlight plugin will be exploited. The Angler exploit kit first starts the ‘Bedep’ loader on an exploited victim machine which will download the final payload”. The EC-Council website is exploited through its vulnerable WordPress CMS—which makes a good target for any attacker via vulnerable plugins.

The Angler Exploit kit drops ‘TeslaCrypt’ ransomware, which encrypts a victim's files before it demands around 1.5 Bitcoin ($622) for a decrypt key. Despite repeated warnings, EC-Council has not responded nor has taken corrective action.

As long as vulnerable applications continue to be in widespread use, they will continue to be a threat. As reported by Trend Micro, exploit kits have been a significant threat for years—affecting mostly users in Japan and the US, with frequent victims in Australia, Canada, France, Germany, and the UK.

[READ: How serious is the Angler Exploit kit problem?]

Trend Micro products and solutions can defend against threats from exploit kits. The Script Analyzer feature of Trend Micro™ Deep Discovery can detect this threat by its behavior without any engine or pattern updates. Endpoint products such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free Business Security has a Browser Exploit Prevention feature that prevents exploits from running on affected systems.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.