Sign in with
Sign up | Sign in

Yahoo Ads Spread CryptoWall Ransomware

By - Source: Tom's Guide US | B 7 comments

Getting malware on your computer can be devastating, but at least it's usually easy to avoid — unless, of course, popular sites are spreading it via legitimate advertisements. A security firm recently discovered that CryptoWall ransomware, one of the most insidious pieces of malware in the last few years, was making inroads with legitimate online advertising services, including Yahoo.

The information comes from Sunnyvale, California-based security firm Blue Coat's blog. Security researcher Chris Larsen was investigating where CryptoWall comes from and how it continues to spread when he made a surprising discovery:, the server that hosts Yahoo's advertising, sometimes sends users to sketchy Eastern European sites where CryptoWall thrives.

MORE: How to Survive a Data Breach

In case you missed the hullabaloo about CryptoWall when it first appeared, there's a good reason why it made waves in the security community. CryptoWall is a very bald-faced piece of malware that's surprisingly hard to get rid of. Rather than pretending to be the FBI or the police, like other ransomware, it simply announces that it's encrypted all of your personal files and you'll need to pay to restore them.

Yahoo has nothing to do with CryptoWall, and will probably be horrified to learn that it has been sending visitors to sites where they could get infected. Yahoo ads come from a variety of sources, and one of them is a large server called Despite the URL, actually routes back to the Czech Republic and receives advertisements from malware distributors in India, Myanmar, Indonesia and Russia. This practice is known as "malvertising."

Given the tangled trail leading from Yahoo back to CryptoWall, it's hard to say how many users contracted the ransomware by clicking on supposedly legitimate advertisements. Although the fix was a long time coming, you can now clear CryptoWall off your system. Reputable security firms Fox-IT and FireEye collaborated on the free DecryptoLocker project, which provides a simple way for CryptoWall victims to recover their files and their privacy.

As for avoiding future infections, steer clear of suspicious websites, especially with Eastern European or South Asian domain names. Think carefully, too, before clicking on banner advertisements, even at major websites.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Ask a Category Expert

Create a new thread in the Streaming Video & TVs forum about this subject

Example: Notebook, Android, SSD hard drive

This thread is closed for comments
  • 3 Hide
    dotaloc , August 11, 2014 9:40 AM
    The irony! Hot on the heels of "How Google, Yahoo, Microsoft, and Facebook Are Creating a Safer Internet."

  • 2 Hide
    das_stig , August 11, 2014 9:57 AM
    Yeh, their idea of safe is to only visit pages they deem acceptable and financially profitable for them. Wonder if Yahoo are liable for any damage done since it was their advertising system that was infecting systems ?
  • 8 Hide
    InvalidError , August 11, 2014 9:57 AM
    One more reason to use AdBlock and Flashblock to prevent infested ads from getting loaded in the first place.
  • Display all 7 comments.
  • 2 Hide
    kittle , August 11, 2014 10:31 AM
    One more reason to use AdBlock and Flashblock to prevent infested ads from getting loaded in the first place.

    very much so. Also handy for AdBlock when you send donations
  • 3 Hide
    razor512 , August 11, 2014 10:40 AM
    This is why programs like adblock are needed. If these companies do not care enough to properly vet the ads they put up, then the users should not care enough to display their ads.

    The failure to properly vet the ads has already lead to a poisoned well for advertising because 99% of the ads are advertising crap that are malicious, bad deals, and crap that would normally be caught by a spam filter. It is impossible to trust an advertisement when little to no verification is done. (what is stopping someone from taking out an ad that leads to a phishing site?)

    Companies need to also vet ads on if they are truly offing something good. Advertising only works when the viewer feels that they are benefiting from the ad also. Meaning, if someone is advertising a new videocard, then make sure the price for it is highly competitive. If you run a website and you do not like people blocking the ads, then do a better job at examining the ads, make sure that only truly good deals are shown in a way that does not annoy the user with things like popups or ads that cover actual content.

    (I have never seen an ad that offered me something for a better price than I could get at the usual places that I shop)
  • 0 Hide
    Darkk , August 11, 2014 11:27 AM
    Yahoo should be running a proxy to tunnel all the ads through their servers for scanning before being sent to your computer. Of course they won't because of liability. Other than the obvious of not clicking on anything suspicious software like adblock is one way. If you have a high class router you can proxy all your connections to be scanned by virus software before it reaches your internal network.
  • 0 Hide
    misnlink , August 11, 2014 2:43 PM
    DecryptoLocker won't work on files corrupted by CryptoWall, it was set up for files corrupted by the earlier malware CryptoLocker, hence the name.
    If you try anyway, you get the message:
    "The file does not seem to be infected by CryptoLocker. Please submit a CryptoLocker infected file."
    (3rd time attempting to post this comment)
Tom’s guide in the world
  • Germany
  • France
  • Italy
  • Ireland
  • UK
Follow Tom’s guide
Subscribe to our newsletter
  • add to twitter
  • add to facebook
  • ajouter un flux RSS