This malvertising campaign infected PCs with ransomware without users even clicking a link

Users only needed to visit a website compromised with a malicious advert to become infected with Mole ransomware, warn security researchers.
Written by Danny Palmer, Senior Writer

A widespread malvertising campaign was probably behind a ransomware attack which affected UK universities and others, and it's capable of infecting users who simply visited a site compromised with the malware.

University College London and Ulster University both took systems offline after falling victim to ransomware, which has now been identified by security researchers as Mole ransomware, a form of the file-encrypting software which first appeared in April. It's named as such because it extensions of infected files are changed to .MOLE - and part of the CryptoMix ransomware family.

Cybersecurity researchers at Proofpoint uncovered the ransomware, which they've linked to the AdGholas malvertising group. The campaign usually uses malicious advertising to spread banking trojans rather than ransomware, which is a much nosier attack than a stealthy data-stealing tool.

While the universities were the most high-profile target of the ransomware, the malvertising was part of a much broader attack which targeted countries around the world via a compromised host website.

One of the reasons the ransomware was able to infiltrate networks was because users didn't need to even click on the malicious adverts - just visiting the compromised website was enough for them to become infected, thanks to the attackers deploying the Astrum exploit kit to leverage an old Flash exploit.

"There is no need to click on the advertisement to be infected. It is enough simply to display the ad: if the machine is vulnerable and targeted, then the infection occurs without any user interaction," said 'Kafeine', the researcher who discovered the ransomware-dropping campaign.

Between 14 and 15 June, an AdGholas infection chain was using Astrum to drop ransomware against targets in the UK and perhaps the US.

Those infected with Mole are presented with a ransom note demanding 0.5 Bitcoins (currently $1,364) in exchange for decrypting files.


Mole ransomware ransom note.

Image: Proofpoint

However, in the case of UCL and Ulster, neither paid the ransom and after some initial downtime, both were able to get systems up and running again thanks to backups taken the day before the infection.

"If the malicious payload in this case hadn't been ransomware, which is obviously much more visible to users than the banking Trojans these threat actors normally distribute, the victims might never have known they were infected," said Kevin Epstein, VP of the Threat Operations Center at Proofpoint.

"Cybercriminals continue to develop ransomware, and leading universities like UCL, whose systems contain highly valuable data, are clearly targets".

ZDNet contacted the universities to confirm if they specifically became infected with Mole ransomware , but hadn't received a response at the time of publishing.


Editorial standards