A malvertising campaign used to carry out a ransomware attack hit two UK universities and was capable of infecting all users who just visited the malicious website.
The University of London and Ulster University were releasing their systems offline after an attack on ransomware, which has now been recognized by security researchers as Mole ransomware, a form of malware file encryption that first appeared in April. This is how the extensions of the infected files are changed to .MOLE. Malware is reported to be a member of the CryptoMix ransomware family.
Proofpoint security researchers have revealed that ransomware used AdGholas ads to spread them.
Although this particular attack was targeting the two British universities, malvertising was part of a much wider attack that tried to hit entire countries around the world through a malicious site.
One of the reasons why ransomware was able to penetrate University networks was because users did not need to click on malicious ads. Visiting simply the malicious website was enough to infect everyone, as the attackers used the Astrum exploit kit and an old exploit of Flash.
"You don't have to click on the ad to get infected, just to show the ad: if your system is vulnerable, then the infection will occur without any user interaction," said Kafeine, the researcher who discovered the ransomware. -dropping.
The attack began between 14 and 15 June, targets in the UK and maybe in the US.
Those infected with Mole saw a note that required them 0,5 Bitcoin (now 1.364 dollars) in exchange for decrypting the files.
However, in the case of the UCL and Ulster universities, the ransom was not paid because the administrators had backups taken before the attack.