
                                                   JPCERT-AT-2015-0015
                                                             JPCERT/CC
                                                            2015-05-26

                  <<< JPCERT/CC Alert 2015-05-26 >>>

                  Alert regarding ransomware infections

        https://www.jpcert.or.jp/english/at/2015/at150015.html
        

I. Overview

  JPCERT/CC has observed a large number of cases where a type of malware 
called ransomware is used for an attack to encrypt files on a device.
The victim is then sent a message asking for a payment in exchange for
decrypting the files.

  In these attacks, the attacker alters the contents of a website and
visitors of the compromised website are redirected to a website that
contains an attack tool kit (herein, attack site). When redirected to
an attack site, it will attempt to leverage vulnerabilities in the OS
or various software (Adobe Flash Player, Java, etc.) for an attack.
A user PC containing vulnerable software may result in being infected
with ransomware.

  At JPCERT/CC, we have observed the following vulnerabilities being
leveraged in attacks that result in ransomware infection.

      - CVE-2015-0313 (Adobe Flash Player)
      - CVE-2014-6332 (MS14-064)

  The vulnerability that is leveraged may vary depending on the user
environment. It is recommended to update the OS and other software 
such as, Microsoft Windows, Adobe Flash Player as well as Java,
Internet Explorer to the latest version.


II. Solution

[For web site administrators]
  In order to prevent your website from being compromised and user
PC's from being infected by ransomware, please check the following and
consider implementing any countermeasures as necessary.


  (Points to Check)
  - Check if the OS and software used for the website are the latest
    versions
  - Check if the web contents have been altered to embed malicious 
    contents
  - Check if the PC used to update the website is infected with
    ransomware. If administration of the website is outsourced, verify
    with the outsourcing company that the PC's used are not infected
    with ransomware
    
  (Countermeasures)
  - Update the OS and software being used for the website to the
    latest versions as necessary
  - Only allow website content updates from designated locations and
    PC's (IP address, etc)

[For users]
  The redirected attacks site attempt to leverage known vulnerabilities 
in order to install ransomware. Refer to the following URL's and update
any software being used to the latest versions. Also, it is recommended
to backup your data periodically in the event that files are encrypted.

  [Microsoft]
    Microsoft Update
    http://www.update.microsoft.com/
    
    Windows Update
    http://windowsupdate.microsoft.com/
    
  [Adobe]
    Adobe Flash Player Download Center
    https://get.adobe.com/flashplayer/

    Adobe - Product Updates (Adobe Acrobat, Adobe Reader)
    http://www.adobe.com/downloads/updates/

  [Oracle Java]
    Free Java Download (JRE 8, English)
    https://java.com/en/download/

  If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/