As if normal news weren’t bad enough, some of the largest media sites worldwide had a special offering for their visitors this week: ransomware - malicious code that was delivered via online ads and holds the victim’s computer hostage until a ransom is paid.
This particular incident involved major sites like BBC, Newsweek, The New York Times and MSN and seems to be the largest coordinated and successful attack on web-based media outlets ever. It comes on the heels of ransomware attacks specifically targeting hospitals, then Mac computers.
To be clear, the ultimate victims that were targeted in this case are not the news sites themselves. This will become more obvious within the coming weeks and months. The real victims here are the millions of visitors of the affected websites.
The publishers may need years to regain their readers’ trust, once the ransomware kicks in on local computers and users find out how it was delivered to them in the first place: via trusted news sources that many of us turn to from the office computer in the morning.
Most victims are not aware that they have been hit by an “malvertising” attack. That’s because their local computer has been primed to receive the ransomware through seemingly harmless online ads, which paved the way for a nasty secret payload - ransomware - to deliver the final blow after a quiet period.
Targeted in this particular attack were (and still are) users who visit media sites from Windows computers using traditional web browsers, like the one that came with the computer. The “loaded” malvertising ads were delivered via the largest online advertising networks including Google's DoubleClick, Rubicon, AOL and AppNexus.
A large scale attack waiting to happen
Ransomware in itself is not a new cybercrime phenomenon. First delivered on floppy disks, it has been around since 1989.
The term describes software that first encrypts the files on a local computer or corporate network, then presents the victim with a ransom note. Victims often pay thousands of dollars - usually in Bitcoin - to receive a decryption key and regain access to their data.
Over the past several years, ransomware has evolved into a main revenue source of organized cybercrime. Experts have warned that browsers are the ideal target for ransomware, because they are inherently unsafe.
Why the recent wave of ransomware attacks?
Driven by the desire of publishers to monetize content and the rise of the online advertising industry, many websites include ads from advertising distribution networks. Those 3rd-party payloads can contain malicious code.
The process is handled by multiple providers who sell on-demand content placement. Website visitors have become accustomed to it. For the advertising industry, keeping this process secure has been merely an afterthought.The risk of ransomware attacks has grown exponentially in recent years, for three reasons:
- Advertising-driven plugins like Flash and Java and myriads of other browser extensions and add-ons introduced additional vulnerabilities.
- With hundreds of millions of browsers used around the globe, the “attack surface” for ransomware now presents a field of limitless opportunities, ready for a rich harvest.
- Online publishers haven’t really cared. They’ve focused on compensating for the loss of revenue in traditional print advertising. And the large ad serving networks have yet to establish a reliable process to weed out shady operators. Obliviously, they keep pushing “malvertising” through the established channels, as happened in this attack.
Companies have developed ad blocking software to counter the risks and annoyances that come with advertisers running (dangerous, as proven by this incident) popups and banner ads on users’ local computers.
But so far, ad blockers haven’t made a real dent - some merely function as “gatekeepers”, still allowing “approved” ads to run on the local computer. Content owners, on the other side, have begun blocking their content for website visitors who use ad blockers.
Developers were taken to court by some of Europe’s largest publishers, including Germany’s Axel Springer group, who claim that ad blockers threaten their online advertising revenue streams. In the U.S., the trade organization Internet Advertising Bureau is reportedly exploring legal options, too.
Make that “was exploring” perhaps, in the light of this new ransomware attack. We think IAB will have a hard time convincing a judge that it is in their audience’s best interest to get inundated with ransomware, courtesy of a ad networks.
The irony is not lost on those who think that ad blockers actually protect, not harm the media:
Hey "adblockers are destroying journalism" people, your ads are destroying people's computers. https://t.co/McLfjKIDnv— DormantCyberPathogen (@JeffLandale) March 15, 2016
What really happens when you open your favorite news site
When you visit the frontpage of a major news website with a traditional browser, the content you’re looking at represents a vast collection of various scripts and content, assembled locally in the browser. Much of this content comes from a variety of disparate sources that have not been sufficiently vetted, neither by the publishers, nor by the ad networks.
The page is built “on the fly” in your browser, which obediently processes the code sent your way by the web server, content management and publishing systems, news agencies and aggregators, social media and visitor tracking plugins, advertising networks and - count on it - cyber criminals.
Therein lies the problem. Website visitors see only the flashy surface - headlines and story “teasers”, photos and videos, social media buttons, interactive infographics, (animated) banners or pop-up ads. If users knew what was really going on in the background, “under the hood”, they would be terrified.
This ransomware incident is a prime example. The ads displayed by the browser secretly connected in the background with “Angler”, an automated exploit toolkit hosted on remote servers. The same exploit has been behind thousands of successful ransomware attacks since 2013. Security experts estimate that Angler alone generates $60 million per year in revenue for cybercriminals.
The program is designed to probe for vulnerabilities on local computers running Microsoft Windows. If Angler finds an available environment, it goes to work. The kit downloads additional code to the victim’s computer and starts to encrypt files.
Next time the user tries to access those files, the cyber criminals present their demands in a ransom note on the screen.
Ransomware has evolved, driven by the proliferation of unsafe web browsers
This attack didn’t come out of nowhere. Industry insiders have predicted that broad scale ransomware attacks were likely to be launched via trusted, big-name websites.
That time has come, which leads us to make a prediction:
Several large European publishers have filed law suits against software companies that offer ad blockers. They argued that ad blockers kill journalism.
After these ransomware attacks against BBC, New York Times, and their respective audiences, that might be the last we heard of this argument.
Expect an avalanche of lawsuits from ransomware victims who will sue publishers for damages incurred through ransomware.
Because of the high profile of the media outlets that were hit, this incident could mark the beginning of a broader discussion about security on the web and what it takes to effectively protect local computers and networks against web-based threats.
What you can - and should - do to avoid ransomware
Before taking the necessary steps to prevent ransomware from encrypting your files, you should backup your data. Even if you don’t suspect that your computer may have been hit by ransomware, you need to maintain current backups of your data on offline storage media.
If you plan to visit any websites that serve up advertising, make sure to use a secure browser that doesn’t render any web code on your local computer.
The only virtual browser that currently fits that profile is Authentic8’s secure browser Silo, which is used by leading law firms, financial institutions and U.S. law enforcement agencies. Silo completely shields your computer and local network from ransomware and all other web-based threats.
For effective ransomware prevention, use a secure browser
With Silo, you get the web experience you’re used to, but without the bad stuff. All web content is rendered in the cloud and delivered to your local computer as visual information - pixels - via an encrypted connection.
Silo doesn’t disclose the IP address of your local computer to dangerous websites and ad networks, doesn’t accept tracking cookies, and it doesn’t provide access to local system interfaces, like the file system.
Silo makes it easy to prevent ransomware, because it makes it impossible for “Angler” or other web-borne malware to probe your computer or local network vulnerabilities from any angle.