Malvertising and the Ransomware Cold War

Malvertising and the Ransomware Cold War
featured image

In the wake of major ransomware incidents, Product Marketing Lead Gavin Dunaway examines the digital advertising industry’s role in preventing future attacks.

“The whole game here is just a good ol’ fashioned Cold War intel op,” a colleague commented on recent high-profile ransomware attacks. Find the weakest human for a way in, and once you’re in, do the damage.”

Because I’m a sucker for cold war spy tales and movies like “Tinker Tailor Soldier Spy” or “A Most Wanted Man,” the observation really resonated with me. Certainly ransomware attacks have been on the rise for years, but the recent Colonial Pipeline and JBS Foods episodes are arguably the first where large numbers of Americans felt (and will feel) the impact in the form of gas and meat shortages.

But I couldn’t help thinking about the differences between Cold War espionage and contemporary ransomware. While it’s true ransomware centers on finding the digital chink in an organization’s armor, that search is fueled by stolen personal data or device access—which is frequently reaped through seemingly omnipresent malvertising.

Points of Compromise

In a classic spy yarn, a government agent hunts for and grooms a disgruntled foreign civil servant, and then turns them into an information asset, potentially using compromising material. (In a good spy movie, though, something typically goes terribly, terribly wrong.) In the modern digital world, turning a user into a ransomware asset doesn’t require targeting or grooming—or at least not in the same fashion.

Many ransomware targets are chosen by the exposed data at hand—supposedly the Russian-based REvil Group accused of perpetrating the JBS Foods ransomware was actually targeting Brazilian entities, not American. It’s not that dissimilar to spies searching for compromising material to blackmail a potential asset—but the ultimate organizational target is fluid.

Where did the compromising data come from? In the Colonial Pipeline incident, a ransomware group called DarkSide—which actually sells its malware in a “Ransomware-as-a-Service” business model on the dark web—used an outdated VPN password to shut down the pipeline. Bloomberg reported that the compromised password was among a batch discovered on the dark web.

Company officials and investigators aren’t sure of the source of the batch, but it doesn’t take Sherlock Holmes’ deductive reasoning to consider malvertising a prime suspect. Yes, malvertising can be an incredibly useful tool for hackers—as we’ve noted time and again, digital advertising is an efficient and cost-effective channel for delivering malware.

Cogs in the Ransomware Machine

While malvertisers can use stolen data or device access to perpetrate ransomware attacks themselves, it’s more likely they sell them on the dark web for others to use them in creating a ransomware attack.

That makes everyone in the digital media and advertising space potentially culpable in ransomware attacks. If we’re not vigilant in shutting down malvertising, the consequences may come back to burn us outside of the safety of our workspaces.

Malvertising—as well as scam ads, which The Media Trust differentiates—is a key part of the ransomware ecosystem. When the digital media and advertising industry looks the other way as malicious ads—phishing redirects, fake software downloads, etc.—flow through the programmatic pipes, we’re increasing the likelihood of another major attack.

This has become perilous with the rise of malicious clickbait, which isn’t as annoying  as a forced redirect, but can be a quiet menace. It’s tempting to cry “no harm, no foul” if it shows up on sites because the damage only occurs when a user clicks. But users click, users fall for scams, users have their data stolen. The more opportunities we give malvertisers to reach audiences by failing to block malicious clickbait, the more success they will have—and that’s more fuel for the ransomware ecosystem.

Then there’s the particularly nefarious LNKR—next-generation adware that’s spreading across browsers like wildfire. LNKR browser extensions are an evolution of browser toolbars, serving excess ads that mar user experience as well as additional malvertising and malware. On top of that, LNKR is tracking infected users everywhere they go, which can be quite useful data for someone with devious plans. Ransomware practitioners can purchase users corrupted by LNKR to suss out the perfect target.

Fight Ransomware, Protect Consumers

This is only the tip of the iceberg. But the digital media industry can fight back and protect users. Half measures—like skimping on your malvertising blocking by going with a cut-rate service that promises you can set it and forget it, or one that only focuses on a segment of malvertising like redirects—are not enough. Malvertising is an expansive practice, and comprehensive coverage is essential.

Ad quality firms like The Media Trust are analyzing what we come across on client pages and using proprietary client-side scanning to detect emerging threats “in the wild.” In addition, we share findings and trends with TAG’s Threat Exchange. Pushing back against threat actors is a team effort.

Blocking malvertising is about more than protecting users; it’s the digital advertising industry’s responsibility and role in this new digital cold war against shadowy malevolent actors. Because if we don’t, it will come back to haunt us. One week it’s a fuel shortage, the next there’s no meat at the grocery store, the week after that your power goes off and you have no idea when it’s coming back on.