Virus slingers who find themselves unsatisfied by merely ruining computers with ransomware are now first stealing a victim's admin passwords to enslave their websites into attack campaigns.
The battery starts with the installation of the Pony malware, which in 2013 stole some two million passwords through its global botnet.
Pony can also plunder passwords from more than 100 applications, social media sites, and Google accounts.
It is not clear how that initial Pony infection takes place, however.
Heimdal Security bod Andra Zaharia says stolen passwords are used to upload scripts to a victim's site before users are pushed to malicious drive-by-download pages.
There the infamous Angler exploit kit delivers the as-yet insurmountable Cryptowall 4.0 ransomware.
"The campaign is carried out by installing a cocktail of malware on the compromised PC … which systematically harvests all usable usernames and passwords from the infected system and sends them to a series of control and command servers controlled by the attackers," Zaharia says.
"The Angler exploit kit will then scan for vulnerabilities in popular third party software and in insecure Microsoft Windows processes, if the system hasn’t been updated.
"Once the security holes are identified, Angler will exploit them and force-feed Cryptowall 4.0 into the victim’s system."
Zaharia says the campaign is "extensive" and operates from six bulletproof hosting servers in Ukraine.
It is one of the most complex and likely effective ransomware attacks to date that makes use of the latest Cryptowall variant released less than a month ago and Angler, the world's most effective and popular exploit kit.
Other web scum have taken to recruiting victims into an affiliate program.
Chimera has begun recruiting ransomware victims into an affiliate program where they can gain a 50 percent profit split for spreading the malware, Trend Micro threat man Anthony Joe Melgarejo says.
They are not excused from paying the one Bitcoin ransom, however. ®