This new variant essentially turns Windows 7 users, still 49 percent (!) of Windows users, into defenseless targets for the next ransomware wave. Already, the Angler Exploit Kit is the preferred weapon of hackers to deliver their malware. This time the payload was TeslaCrypt Ransomware, but there is no limit to what payload can be delivered.
Morphisec VP R&D Michael Gorelik sees more exploits ahead, “I predict that with this vulnerability, the prominence of Angler will only increase. Based on details from FireEye’s research, it would take very little to implement the same bypass on Microsoft Windows 8, 8.1 and 10. I foresee that the same web attacks with light modification will soon target more advanced OS's, not only through browsers but also documents containing 3rd party plugins like Flash."
What can you do?
First of all, companies must understand that running EMET doesn’t mean they can delay patching frequently attacked programs. Unfortunately, ad-hoc patching is not practical for most enterprises. Removing ActiveX plugins like Flash or Silverlight will address this particular exploit variant, although won’t protect against other possible vectors of attacks, such as a document-based attack using Flash. The only known solutions to actually prevent such attacks are those that apply Moving Target Defense (MTD) concepts to conceal application vulnerabilities and block web-based and in-memory attacks.
The constantly growing sophistication of advanced attacks and the vectors used are the impetus behind Morphisec’s MOVING TARGET DEFENSE technology. It’s effectiveness in automatically blocking this new version of Angler EK proves our approach right.
If you are interested in learning more about the differences between EMET and Morphisec's Moving Target Defense, please download our EMET FACTSHEET.
Note: For this specific attack, TeslaCrypt master key might help to decrypt the files - http://www.bleepingcomputer.com/news/security/teslacrypt-shuts-down-and-releases-master-decryption-key/.