Heimdal Security says the Rig Exploit Kit has been used to plant Cerber ransomware on domains ending with the .news suffix, including the shortened list shown below. (Cerber has the unique feature of talking to its victims.)
An exploit kit is a set of tools developed by criminal gangs. They keep a staff of programmers to keep the product up-to-date and add improvements.
Virustotal reports show that only 2-5 out of 68 Anti-Virus products they tested can detect this type of attack. (You can enter the URL of any site here and Virustotal will check it.)
The Rig Exploit kits looks for and then attacks any of the products shown below to gain remote code execution privileges.
Google Update Attacked
Hackers have even found that by putting a file called goopdate.dll in the same path as GoogleUpdate.exe it will load their .dll and not Google’s. Since GoogleUpdate.exe is the legitimate signed product, no warning is given to the user. They have been using this technique to spread the CryptoLuck ransomware.
Neutrino EK Unmasked
Heimdal Security also says that criminal hacker gangs had been using the Neutrino EK to spread the CrypMIC ransomware using drive-by downloads.
List of Affected Products and Versions
The list of software vulnerable to Rig is long, especially the list of Adobe products. (Click this link to find the version of the Adobe Player you are using.) All of the products have been patched. Below are the products along with their patch date. The Adobe products were patched between 2015 and 2016.
- Adobe Flash Player before 22.214.171.1244 and 19.x and 20.x before 126.96.36.1997 on Windows and OS X, 13.x through 188.8.131.522 on Windows and OS X.
- Adobe Flash Player 14.x through 184.108.40.206 on Windows and OS X.
- Adobe Flash Player before 220.127.116.119 on Linux.
- Adobe Flash Player 11.x through 18.104.22.1681 on Linux.
- Adobe Flash Player 22.214.171.124.
- Adobe AIR before 126.96.36.199.
- Adobe AIR SDK before 188.8.131.52.
- Adobe AIR SDK 12.x through 184.108.40.206 on Linux Chrome.
- Internet Explorer versions 9, 10, 11. Patched October 11, 2016.
- Silverlight version 5.0. Patched January 12, 2016.
Since these products have all been patched against the Rig exploits, the user just needs to update their products. And they need to push an education campaign to other users to help them learn how to update their products or just turn on the mechanism for doing that automatically if that is not already in place.
Persons who have been attacked by the ransomware will have to pay the ransom if they have no backup. This is one reason why no data should be kept on the local machine but kept in the cloud. Then the OS can simple we wiped. Of course that does not work it the infected data is a database hosted in the cloud.