'Police Ransomware' Becomes Java 0-Day-Borne

The recently discovered vulnerability disclosed on Thursday has been finally patched by Oracle, but exploitation in the wild continues on computers that have not been updated yet. With exploitation code included in world’s most frequently used exploit packs such as BlackHole, Nuclear Pack and the Cool Exploit Kit, cyber-criminals have started to take advantage of the huge pool of vulnerable computers by planting ransomware.

Bitdefender has identified multiple campaigns that use the CVE-2013-0422 bug in Java to infect client machines with the notorious IcePol (also known as Reveton). Once the computer is successfully infected, the user is denied access to the desktop until payment of a ransom, which the criminals call a ‘fine’.

Most of these attacks are directed from servers in the UK, Canada and the US, but, since the Reveton ransomware is localized in multiple languages depending on the IP address of the infected computer, victims are spread across the world. All it takes is a vulnerable version of Java.

Exploit prevalence – breakdown by country for the past three days

Bitdefender customers have been protected since the emergence of the threat by multiple layers of defense, from page blocks to signatures on the exploit files. We also offer a free removal tool for computer users who don’t have a Bitdefender product and already got infected with the IcePol ransomware. The tool is available immediately via the Bitdefender Toolbox.

To stay safe, we recommend you to patch your Java distribution immediately to Update 11. We also advise that you disable the Java plugin in the browser you are using for web-related tasks and only enable it in an alternative browser to be used for tasks requiring Java.