We have been observing a malvertising campaign via
Rig exploit kit delivering a
cryptocurrency-mining malware and the GandCrab
ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as
RANSOM_PRINCESSLOCKER.B), and was actually a new version of the
Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a
ransomware as a service (RaaS) and are looking for affiliates.
The new malvertising campaign we observed since July 25 is notable in that the malvertisements included
Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME to map their advertisement domain on a malicious webpage on the service.
[...]
Ransomware as a Service Princess Evolution Looking for Affiliates - TrendLabs Security Intelligence Blog
