The ransomware was discovered by security researchers at Trustwave. It discovered the network of “malvertising” after noticing that several of its products were detecting a suspicious-looking file being downloaded by major news sites.
The file was hosted by a server at “brentsmedia.com.” It redirected the web browser several times to try to hide its tracks, eventually downloading a 12,000 line JavaScript file that checks to see if popular security tools are installed. If it finds the user’s computer is at risk, it downloads the popular Angular exploit kit and injects it into the webpage, providing the ransomware’s creators with the ability to lock the computer user’s files.
Trustwave looked at the ownership history of brentsmedia.com, discovering it has only recently changed hands. Its previous owner, a legitimate advertising company called BrentsMedia, failed to renew its contract in January, putting the domain up for public sale.
It was reregistered on March 6 under the name of a “Pavel G Astahov.” It appears the new owners are trying to use the reputation of BrentsMedia to infiltrate ad providers and force websites to host malicious content.
The infected ads were delivered through “at least” two networks used by some of the world’s largest websites. Trustwave commended adnxs for their quick response to the issue, blacklisting the adverts within an hour of being contacted. A second provider, taggify, had not replied by the time Trustwave publicly detailed the issue on March 14