Russian cyber criminals employ FessLeak malvertising campaign

FessLeak is a name of a new malvertising campaign whose origin is Russia. The date of its emergence is considered to be October 17, 2014; however, it is very active in 2015 as well. This name has been assigned to this campaign because researchers have noticed that cyber criminals leverage file-less infections to spread ransomware. Various ransomware infections exist; however, it is likely that CryptoLocker will slither onto your computer if you become a victim of FessLeak malvertising campaign. It will encrypt your files and delete itself from your computer, so there will be nothing to remove, but you will notice that you files are encrypted. As CryptoLocker is closely associated with FessLeak malvertising campaign, some researchers call it FessLeak ransomware. It does not matter how it is called because the fact that it is a very serious computer infection still remains.

This malvertising campaign is called FessLeak not without a reason. The security experts have found out that this campaign is called like that because all the malicious domains used for the delivery of ransomware are registered on fessleak@qip.ru email. These so-called “burner” domains are registered for 8 hours only and then disappear. Of course, the process will start again after some time. Research has shown that these domains, whose DNS will be live for a limited period of time only, are pointed to malicious landing pages which contain ransomware. Furthermore, it is clear that cyber criminals engage in real-time bidding for advertisements. Advertisements are used in order to take users to the landing page and they might appear on a number of websites, including CBSsports.com, thesaurus.com, jpost.com, and photobucket.com. These websites are very popular, which means that many people are at risk. Unfortunately, the administrators of these websites might be unaware of the fact that their web pages are used to distribute malware. As can be seen, malicious software might be lurking on different websites, so the specialists at 411-spyware.com believe that ordinary computer users must install SpyHunter or a similar security application on the system in order to reduce the possibility to encounter malware.

FessLeak malvertising campaign is unique in a sense that the malicious file is not dropped on the system’s storage unit. If compared to “dropper attacks”, there is no “dropped file” in “file-less” attacks. The researchers have found out that malware is loaded into the system’s memory and then extracted using System32 file and extrac32.exe tool. What is more, there is a possibility that ransomware might enter your system via Adobe Flash Player vulnerabilities as well. Actually, this method is even more popular these days if compared to file-less method. Researchers claim that FessLeak drops a Temp file via Flash. It also makes calls to icacls.exe (file responsible for permissions on folders and files). It seems that security tools cannot put an end to this because it is impossible to detect malicious binary.

If it happens that you cannot access your files and see a message claiming that you have to pay money in order to receive the key, you should know that ransomware has entered your system. Unfortunately, it is not likely that you will be able to decrypt your files, so you should simply recover them from a backup. Of course, you might think that the easiest way to gain access to your files is to make a payment, but you should not do that in any way because you will not only lose your money, but will also reveal credit card details, which might be used by cyber criminals to steal all your money.

As can be seen, malicious software might enter your system if you surf the Internet on a daily basis. It might seem that it is not easy to protect the system from malware; however, you should still try doing that. As has been already mentioned, it would be wise to install a security tool on the system.