A newly-uncovered cybercriminal campaign is using a well-known exploit kit to distribute ransomware through drive-by downloads on hacked websites.
Such attacks were once subtler, used to distribute malvertising to drive click-based revenue or in some instances, spread stealthy malware.
But now researchers at Malwarebytes have uncovered a campaign which is harnessing RIG on hacked websites in order to distribute the Princess/PrincessLocker ransomware.
This particular form of ransomware isn’t particularly widespread, but it’s notable for initially using the same template as Cerber, one of the most successful ransomware families.
However, researchers have noted that the similarities between the two forms of ransomware are superficial, with the actual code behind PrincessLocker “much different” to that of Cerber.
Upon visiting a compromised website, the user will be directed to a hacked page which is used to take advantage of exploits in order to deploy PrincessLocker onto the system.
The attack vector is different to a ransomware distributor’s usual tactic of pushing it in phishing emails, but once the malware is delivered, the result is the same — the victim’s files are encrypted and the cybercriminals demand a ransom in order for them to be freed up.
The attackers claim that this is a “special price” which is only available for seven days. If a victim waits longer than that to pay the ransom, it rises to 0.1540 bitcoin ($738/£570).
Researchers have previously determined PrincessLocker to be relatively unsophisticated compared to other forms of ransomware. Because of this, a decryption tool is available to crack earlier forms of PrincessLocker. However, the attackers took note of their initial errors and the tool no longer works for the more recent strains.
The best way to avoid negative consequences of PrincessLocker is simply to avoid infection in the first place — and, with patches for the critical vulnerabilities exploited by the kit having been available for over two years, there’s really no excuse for having not applied them.
READ MORE ON CYBERCRIME