UK Uni Ransomware Attacks Linked to Malvertising Campaign

Written by

The ransomware that caused widespread disruption at two UK universities last week is now thought to have been spread via a much larger malvertising campaign, according to Proofpoint.

Kafeine, a researcher at the security vendor, explained that the C&C IP address for the ransomware in question is commonly associated with the Mole family and payloads linked to the Astrum exploit kit, a known favorite of the banking trojan group AdGholas.

“At that stage, we were almost convinced the events were tied to AdGholas / Astrum EK activity. We confirmed this, however, via an HTTPS connection common to the compromised host avia-book[.]com,” the blog post continued.

This host was apparently being used in a large scale malvertising campaign targeting the UK, Australia, Canada, Italy, Monaco, Liechtenstein, Luxembourg, Switzerland, Japan, Taiwan and the United States.

All compromised hosts are said to have contacted the Astrum C&C IP address.

“It appears that between June 14 and 15, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US. Mole is a member of the CryptFile2/CryptoMix ransomware family. We do not know the payloads in other countries, but, based on past activity, we are confident they were banking Trojans. Unlike ransomware, bankers are generally less noisy and often remain unnoticed by victims,” Kafeine concluded.

“AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today. Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets.”

The UK universities caught up in the campaign, UCL and Ulster University, appear to be back to normal now.

UCL’s IT team initially claimed a zero-day threat was the cause of the ransomware, which now seems wide of the mark. However, the drive-by nature of malvertising would have made this attack particularly hard to guard against.

What’s hot on Infosecurity Magazine?