A new wave of crypto ransomware is hitting Windows users courtesy of poorly secured websites. Those sites are infected with Angler, the off-the-shelf, hack-by-numbers exploit kit that saves professional criminals the hassle of developing their own attack.
The latest round is especially nasty because before encryption, the drive-by attacks first use malware known as Pony to harvest any login credentials stored on the infected computer, according to a blog post published by a firm called Heimdal Security. The post explains:
The campaign is carried out by installing a cocktail of malware on the compromised PC. The first payload consists of the notorious data thief Pony, which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of Control & Command servers controlled by the attackers.
The purpose of this action is to abuse legitimate access credentials to web servers and CMS systems used by websites and to inject the malicious script in these websites so that the campaign achieves the largest possible distribution.
In the second phase, the drive-by campaigns unfolds via the victim being moved from the legitimate website, which has been compromised, to a heap of dedicated domains which drop…