A new variant of ransomware is spreading via poorly secured websites and the Chrome Web Browser. Users are fooled into downloading what they think is a missing font pack in order to resolve the error. This attack technique is not uncommon, and has been recently reported delivering click-fraud malware, and now, ransomware. Click-fraud malware is a less malicious variant of malicious code that generates revenue for attackers by browsing to predetermined websites and “clicking” on ads.
How the Attack is Executed
- Poorly secured websites are being targeted and compromised when the attacker gains access to the site’s code (common examples include WordPress and blog sites)
- Script(s) are added that target and filter users running the Chrome web browser via Microsoft Windows OS
- If Step #2 is met, a secondary malicious script is loaded and replaces the HTML tags, causing the text on the site to become corrupt
- The site will now display a symbol throughout the page; oftentimes a symptom of a missing font package
- The attacker then initiates a pop-up window (example below) offering the potential victim the opportunity to download a font pack to remedy the error
- If the download is initiated by the user, a variant of ransomware is downloaded to the victim’s computer
- Next, the user’s computer will begin to execute the encoded ransomware procedure(s)
- The attacker may also install additional malicious payloads; as in-place security protocols permit.
shown: screenshot of ransomware disguised as Google Chrome Font Package download
How to Safeguard Users
- First, brief users about the ransomware campaign. Show them what to look for, explain how it works and provide examples.
- Ensure users know appropriate reporting and escalation procedures if ransomware is suspected or initiated.
- Review endpoint protections and ensure they are up-to-date with the latest definitions
- Examine firewall rules to confirm they are adequate to protect users from malicious sites and code
- Review and test backups. Make sure they are functioning properly; test-restore devices to ensure readiness
- Consider implementing an advanced threat detection solution (i.e. malware sandbox, endpoint threat detection and response tool)
- Consider implementing a Web Application Firewall (WAF)
Ransomware is big business and the methods of delivering it continue to evolve. Be sure to keep users informed as they are your first line of defense (or your weakest link). Download our ransomware security awareness poster and display it in your office to remind users of the importance of security awareness and the ongoing threats.