Yahoo Ads Spread CryptoWall Ransomware

Getting malware on your computer can be devastating, but at least it's usually easy to avoid — unless, of course, popular sites are spreading it via legitimate advertisements. A security firm recently discovered that CryptoWall ransomware, one of the most insidious pieces of malware in the last few years, was making inroads with legitimate online advertising services, including Yahoo.

The information comes from Sunnyvale, California-based security firm Blue Coat's blog. Security researcher Chris Larsen was investigating where CryptoWall comes from and how it continues to spread when he made a surprising discovery:, the server that hosts Yahoo's advertising, sometimes sends users to sketchy Eastern European sites where CryptoWall thrives.

MORE: How to Survive a Data Breach

In case you missed the hullabaloo about CryptoWall when it first appeared, there's a good reason why it made waves in the security community. CryptoWall is a very bald-faced piece of malware that's surprisingly hard to get rid of. Rather than pretending to be the FBI or the police, like other ransomware, it simply announces that it's encrypted all of your personal files and you'll need to pay to restore them.

Yahoo has nothing to do with CryptoWall, and will probably be horrified to learn that it has been sending visitors to sites where they could get infected. Yahoo ads come from a variety of sources, and one of them is a large server called Despite the URL, actually routes back to the Czech Republic and receives advertisements from malware distributors in India, Myanmar, Indonesia and Russia. This practice is known as "malvertising."

Given the tangled trail leading from Yahoo back to CryptoWall, it's hard to say how many users contracted the ransomware by clicking on supposedly legitimate advertisements. Although the fix was a long time coming, you can now clear CryptoWall off your system. Reputable security firms Fox-IT and FireEye collaborated on the free DecryptoLocker project, which provides a simple way for CryptoWall victims to recover their files and their privacy.

As for avoiding future infections, steer clear of suspicious websites, especially with Eastern European or South Asian domain names. Think carefully, too, before clicking on banner advertisements, even at major websites.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Create a new thread in the Streaming Video & TVs forum about this subject
This thread is closed for comments
    Your comment
  • The irony! Hot on the heels of "How Google, Yahoo, Microsoft, and Facebook Are Creating a Safer Internet."
  • Yeh, their idea of safe is to only visit pages they deem acceptable and financially profitable for them. Wonder if Yahoo are liable for any damage done since it was their advertising system that was infecting systems ?
  • One more reason to use AdBlock and Flashblock to prevent infested ads from getting loaded in the first place.