A new ransomware called Threat Finder goes out via the Angler exploit kit to users that rely on outdated versions of plug-ins in their web browsers.
Information about the ransomware came out in January when a user reported Threat Finder was able to encrypt his data, bypassing detection of antivirus products he had installed.
Rackspace security researcher Brad Duncan found a sample of the malware and analyzed the method of infection and the ensuing effects.
The host ended up infected during a drive-by attack, Duncan said. While navigating to a compromised website, a vulnerable plug-in in the browser ended up exploited by Angler EK, which downloaded and installed Bedep, a payload used for ad-fraud activity, as well as for funneling in other malware.
It appears that in the case investigated by Duncan, Bedep downloaded and installed Threat Finder on the victim’s machine and also initiated click-fraud actions.
“About the time Threat Finder displayed the decrypt instructions, we saw click fraud traffic from the infected host. Click fraud traffic generates ad revenue through numerous requests for web traffic from the infected host,” the researcher said in a blog post.
As soon as Threat Finder deploys on a system, it starts encrypting file types important to the user. According to a report from Bleeping Computer, the list includes text documents, media files (image, video) and database formats.
They also said the malicious encryption process does not alter the name of the file and the only hint it suffered exploitation is the associated program’s inability to display the content.
After the data ends up locked, Threat Finder shows the ransom message and asks for 1.25 bitcoins (about $300) in exchange for the decryption key.
However, researchers said the encryption process does not delete Shadow Volume Copies, which would make possible the recovery of the affected data with the Windows Previous Versions feature or via a program that can access the safe copies.