Yahoo Ads Spread CryptoWall Ransomware
Getting malware on your computer can be devastating, but at least it's usually easy to avoid — unless, of course, popular sites are spreading it via legitimate advertisements. A security firm recently discovered that CryptoWall ransomware, one of the most insidious pieces of malware in the last few years, was making inroads with legitimate online advertising services, including Yahoo.
The information comes from Sunnyvale, California-based security firm Blue Coat's blog. Security researcher Chris Larsen was investigating where CryptoWall comes from and how it continues to spread when he made a surprising discovery: ads.yahoo.com, the server that hosts Yahoo's advertising, sometimes sends users to sketchy Eastern European sites where CryptoWall thrives.
In case you missed the hullabaloo about CryptoWall when it first appeared, there's a good reason why it made waves in the security community. CryptoWall is a very bald-faced piece of malware that's surprisingly hard to get rid of. Rather than pretending to be the FBI or the police, like other ransomware, it simply announces that it's encrypted all of your personal files and you'll need to pay to restore them.
Yahoo has nothing to do with CryptoWall, and will probably be horrified to learn that it has been sending visitors to sites where they could get infected. Yahoo ads come from a variety of sources, and one of them is a large server called adsmail.us. Despite the URL, adsmail.us actually routes back to the Czech Republic and receives advertisements from malware distributors in India, Myanmar, Indonesia and Russia. This practice is known as "malvertising."
Given the tangled trail leading from Yahoo back to CryptoWall, it's hard to say how many users contracted the ransomware by clicking on supposedly legitimate advertisements. Although the fix was a long time coming, you can now clear CryptoWall off your system. Reputable security firms Fox-IT and FireEye collaborated on the free DecryptoLocker project, which provides a simple way for CryptoWall victims to recover their files and their privacy.
As for avoiding future infections, steer clear of suspicious websites, especially with Eastern European or South Asian domain names. Think carefully, too, before clicking on banner advertisements, even at major websites.