Department of bizarre coincidences: yesterday I published a ransomware information page on this site, on approximately the same lines as the tech support information page. Today an article by Zeljka Zorz for Help Net Security – A double whammy of tech support scam and ransomware hits US, UK users – directed me to this Symantec article by Deepak Singh: Tech support scams redirect to Nuclear EK to spread ransomware – Tech support scammers may have bolstered their arsenal by using the Nuclear exploit kit to drop ransomware onto victims’ computers. Which seems to belong on both pages.
This isn’t the first time I’ve heard of scammers who try to lure potential victims to a site from which the Nuclear exploit kit is being served as well as the support scam. Martijn Grooten wrote in some detail about such a case – Compromised site serves Nuclear exploit kit together with fake BSOD – for Virus Bulletin, back in July 2015. In this instance, though, if the exploit kit is successful in finding an exploitable vulnerability on the victim’s system, it will drop either the ugly Cryptowall ransomware or a data-stealing Trojan.
Perhaps this is not an instance of support scammers deliberately making use of an exploit kit with the intention of maximizing profit through ransomware or information stealing. But as Singh observes ‘…if this proves to be an effective combination, we are likely to see more of this in the future.’ And we’ve already seen a similarity in the way that non-encrypting ransomware and some support scams both make use of fake alerts and BSODs as a lure. While there may still be some inept but well-meaning support scam operators out there, there are many more who – inept or otherwise – are perfectly happy to trash a victim’s system. If they can use encrypting ransomware to monetize that ruthlessness, it would be naive to believe they won’t take that route instead.