Website malware is something that we have covered quite frequently on this blog, but generally, it can be avoided with careful browsing habits and awareness of the types of websites you visit. Unfortunately, that can’t be said any longer. On December 31st, Cyphort Labs, a cybersecurity firm, detected a malware infection on the Canadian website for the Huffington Post. The security firm later confirmed that the malware was also present on several other mainstream websites.
The malware in question is a variant of one of the more frightening viruses to arrive in recent years called Ransomware. Once infected, the Ransomware virus takes complete control of a user’s computer and locks down all data before restricting a user’s ability to make any changes. American computers infected with the virus receive a fake message from the FBI. Those in France see one from la Police nationale and there are custom messages for Germans, Turks and U.K. residents as well. The purpose of the malware is to use scare tactics to extort money from users who are tricked into believing that their government has found illegal content on their computer. The message is clear, pay the associated fee for your (often embarrassing) crime, or face public prosecution. Unfortunately for those users who fall victim to the ploy, even if they do pay the fee, their computers will remain locked. The only good news is that unlike the more destructive CryptoLocker malware variants, Ransomware does not encrypt your files and is completely recoverable.
Most content heavy websites use 3rd party ad delivery systems to help fund their content. In this case, it was the AOL ad-network (advertising.com) that became the indirect host for the Ransomware virus. The malware orchestrators used a system of redirects to mask the infected files and get around the advertising networks safety checks. While the Huffington Post was the first website where the infection was detected, all websites that shared the ad network were compromised.
The impacted websites include:
In addition to the sites listed above, the cybersecurity company Malwarebytes, is reporting that additional affected sites include domains under Yahoo!, Comcast, Weather.com, and more.
If you are unfortunate enough to encounter the Ransomware virus don’t panic; it is fixable. The procedure does however require an understanding of safe mode and for you to methodically remove all instances of the infection. Your best bet is to contact an IT professional to sort out the problem, but if you must address the problem personally, Malwarebytes and Symantec offer free tools that will expedite the procedure.
– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer