Security researchers have discovered a new ransomware strain called "Fessleak". It delivers malicious code straight into system memory and does not drop any files on disk. Most antivirus software is not able to catch this.
The infection vector is malicious ads on popular websites. End-users visit a major site and click on an ad. Clicking that one link is enough to get confronted with a full screen that announces all personal or business files, photos and videos have been encrypted and to get them back you need to pay a ransom in Bitcoin.
These cybercriminals set up a short-lived burner domain directing to a landing page where the exploit kit is hosted. Then they start real-time bidding for ads pointing to the burner domain. Once their bad ad is displayed on a popular website and users click on it, they are redirected to the malicious domain which in turn infects their workstation.
This group is also using 0-day exploits for Flash Player, and is apparently able to change their malware on the fly to exploit the most recent vulnerabilities. At this time, there is no detection for the malicious binary.
Here are some recommendations to mitigate this type of attack:
- Do not click on any ads
- Backup your files
- Keep your attack surface as small as possible by making sure your OS and third party apps are patched as soon as possible.
- Run an Adblock plug-in for each browser you use
If you need assistance, contact the IT Help Center.
