We are all very familiar with URL shortening services, which are regularly used in Tweets and other social media. It is no secret that cyber criminals also use URL shorteners to aid them in achieving their objectives. URL shorteners are often used by cyber criminals to obfuscate redirects to malicious destinations.
Recently, a URL shortening service was used to shrink a dubious link, obfuscating a malicious destination:
which was actually a malicious script dowloader “Statement.js”, dropping Cryptowall from
Cryptowall is Ransomware which encrypts files on your computer and demands that a ransom be paid in order to receive instructions (private key) for decrypting your files (in this case, RSA-2048 encryption was used).
Shortened malicious URL: [url]/1|Qblabla –> hxxp://46(dot)30(dot)45(dot)39/Statement.jpg = Statement.js (malicious script downloader).
Statement.js –> executable yyo.w (Cryptowall) from 46(dot)30(dot)45(dot)39/yyo.w
The URL shortener service disabled the shortened URL, but the IP identified was still serving up Cryptowall at the time of this write-up (Cryptowall file from 46(dot)30(dot)45(dot)39/yyo.w and subsequent communication shown above.
During post-infection, the victim is provided with details about what just happened, and a short explanation about encryption. They’re also given the steps needed to in order to get the files decrypted. Finally, they provided details about the specific homepage crafted for them and instructions for downloading and installing the Tor browser.
The text reads as follows:
Cannot find the files you need? Is the content of the files that you have watched not readable? Is it normal because the files names, as well as the data in your files have been encrypted. Congratulations!!! You have become a part of a large community #Cryptowall. Your files have been encrypted with 5he Cryptowall software; the instructions that you find in folders with encrypted files are not viruses, they are your helpers. After reading this text 100% of people turn to a search engine with the word Cryptowall where you'll find a lot of thoughts, advice and instructions. Think logically - we are the ones who closed the lock on your files and we are the only ones who have this mysterious key to open them. Any of your attempts to restore your files with the third-party tools can be fatal for encrypted files. In case if these simple rules are violated we will not be able to help you and we will not try because you have been warned. For your attention the software to decrypt the files (as well as the private key that comes fitted with it) is a paid product. After purchasing the software package you can 1) Decrypt all your files 2) Work with your documents 3) View your photos and other media content 4) Continue your habitual and comfortable work at the computer
IP Location: Russian Federation Russian Federation Moscow Eurobyte Llc
ASN: Russian Federation AS35415 WEBZILLA Webzilla B.V. (registered Aug 03, 2005)
Resolve Host: vz110372.eurodir.ru
Whois Server: whois.ripe.net
IP Address: 18.104.22.168
Reverse IP: 1 website uses this address.
Ransomware is nothing new but cyber criminals are constantly coming up with tradecraft to stay one-step ahead of of the security industry. This short blog is not meant to single out a specific URL shortener service nor is it meant to be a high-level analysis of Cryptolocker. This blog is more focused on arising awareness when dealing with shortened links.
There are precautions that can be taken to avoid clicking on a malicious shortened link, such as not clicking on a shortened link if you do not know who it is from. If you want to take additional measures, there are services that unshorten shortened URL’s such as
Furthermore, it is highly recommended that you use anti-virus and anti-malware in conjunction for the best possible protection. Malwarebytes Anti-Malware protects users from this attack, including blocking identified malicious IPs and domains associated with Ransomware.