There have been reports of an uptick in the use of the RIG exploit kit to deliver the CrypMIC ransomware to unsuspecting users - the kit leverages known a few known Flash vulnerabilities, targeting unpatched systems, while the ransomware it drops encrypts and holds files for ransom.
How Does RIG Infect Users’ Devices?
The kit is compromising legitimate websites and redirecting visitors to domains that are downloading ransomware onto their machines
To redirect users to malicious servers, attackers used stolen domain credentials to set up subdomains of legitimate sites. According to Threatpost, domain owners neglect to monitor their login credentials and may fail to notice they’ve been hit with a phishing attack. This is known as domain shadowing, and can allow attackers to go undetected as they pose as legitimate sites.
The kit leverages several recent Adobe Flash Player vulnerabilities to compromise a victim’s system. One is CVE-2015-8651 (patched in December 2015), an integer overflow vulnerability that could lead to code execution.
Another is the more recent CVE-2016-4117, patched in May, that could cause a crash and potentially allow an attacker to take control of the affected system.
What Does the Ransomware Do?
According to Trend Micro, the CrypMIC ransomware encrypts removable and mapped network drives, demanding payment in return for decryption via Bitcoins over the anonymous Tor network.
However, paying the ransom doesn’t always guarantee users will get their files back - there have been some reports by BleepingComputer forum users that CrypMIC’s decryptor hasn’t been functioning properly, or that users haven’t received it at all after payment.
CrypMIC is an “impersonator” of another strain of ransomware known as CryptXXX, which not only encrypts files, but also steals credentials and other information related to remote desktop tools (RDP, VNC servers), VPN clients, web application frameworks, web browsers, email clients and more.
Protecting Against A Compromise
There are a few ways you can protect against a potential compromise, by employing strong access security tools.
Defend against the initial point of entry - that is, known Flash vulnerabilities bundled into the exploit kit - by keeping all of your devices up to date. If you have many users and different managed and unmanaged devices logging into your applications, use a tool that can detect if their devices are running an out-of-date version of Flash, then block, warn or notify them.
Keeping their devices out of your systems, or quickly remediating by updating to the latest software versions can prevent the spread of malware to your enterprise apps.
Protect against stolen credentials by using a two-factor authentication solution on every application with sensitive information. By requiring an additional way to verify a user’s identity, other than their password, you can ensure that any passwords stolen by ransomware can’t be used to log in and steal your data.