Security Alert: Malvertising campaign using SundownEK drops SEON ransomware
Here’s what happened and how you can protect yourself
The advertising systems of several popular websites have been compromised by an injection of a malicious script that redirects random visitors to a SundownEK gateway.
Then, non-updated systems are prone to ransomware infections.
The respective injection redirects the traffic via the following chain (sanitized by CSIS):
The latter acts as SundownEK payload delivery and it is by no means the only subdomain that uses this FQDN for this kind of activity (sanitized by CSIS):
The domain (sanitized by CSIS) mtproto[.]world could be activated in case the domain previously mentioned is disabled.
SundownEK will try to exploit vulnerabilities in Adobe Flash Player and Internet Explorer.
If the machine has not been properly updated, a binary payload will be delivered. This will run ransomware of the SEON class, namely version 0.2 of this malicious ransomware.
Not only that, but a slightly modified version of data stealer Pony will also be dropped.
This SEON variant adds the file extension .FIXT to all data files, both locally and on all available network drives.
Criminals request that the victims contact them via several email addresses listed in the SEON ransomware message.
All folders that have had data encrypted by SEON ransomware contain a text file with the following note:
SEON RANSOMWARE ver 0.2
all your files has been encrypted
there is only way to get your files back: contact with us, get decryptor software and pay
We accept Bitcoin and other cryptocurrencies
You can decrypt 1 file for free
Our contact emails:
[removed by CSIS]-
Heimdal blocks the related domains, so all Thor Home and Thor Enterprise users are safe.
The security guide you need to follow so you don’t risk losing your data
There is no guarantee that a key for the SEON Ransomware will be provided by this group in exchange for money.
And even if the malicious group actually provided a key that decrypts your files, you should not be paying them. By offering them money, you are encouraging this type of criminal online behavior.
As per our knowledge, currently, there is no free decryption tool available for SEON.
So, here are the steps you need to follow to stay protected against the SEON ransomware (and other ransomware strains in general):
#1. Make sure you always apply updates to your system, software, and apps.
In this specific case, check if you are running the latest version of Adobe Flash Player and IE. Or use a solution that closes security holes in your software through automatic patching, like Thor Free.
#2. Always back up your files.
If you have a copy of your files stored somewhere, either on an external hard drive or in the Cloud, the ransomware attack wouldn’t mean that much to you. Well, of course, you would have to start out with a fresh PC installation, but at least you still have access to your backed-up important documents.
This guide will show you how to back up your files.
#3. Have a good security solution running on your PC.
Use a proactive, anti-malware solution that detects threats before they happen. Malware is specially developed to bypass your traditional antivirus, but if you add additional security layers, you can rest assured you are safe.
For example, Thor Foresight Home always protects you against ransomware attacks, because it filters your Internet traffic and blocks ransomware distribution sources. Also, it automatically updates your apps, so you don’t have to worry about it. And it works great alongside any other antivirus software.
EASY AND RELIABLE. WORKS WITH ANY ANTIVIRUS.Download Free Trial
#4. DO NOT pay the ransom.
I’ve said this before and I’ll say it again: whatever you do, just don’t pay the ransom!
*This article features cyber intelligence provided by CSIS Security Group researchers.