The operators of Exorcist 2.0 ransomware have adopted a new tactic for distributing their ransomware. They have set up fake websites that claim to be crack sites for popular software programs. The websites offer cracking tools that can be used to generate valid license codes that allow popular software to be used free of charge.
One of the websites offers a Windows 10 activator, which can be used to generate a license code that activates windows 10 free of charge. When a user arrives on the website, they are presented with download links for the software cracking tool. Clicking on the link will generate the download of a password-protected zip file, along with a text file that provides the user with the password to open the zip file.
This method of file delivery helps to prevent the malicious contents of the zip file from being detected by antivirus solutions. Since the zip file can only be opened if the password is entered, antivirus software is unable to scan the contents. This method also bypasses the protection of Microsoft SmartScreen and Google Safe Browsing.
Once the file contents are extracted, the user must run the setup program, which is actually the Exorcist 2.0 binary. Double clicking and executing the file will start the file encryption process and a ransom demand will be presented. Contact must be made with the attackers to find out how much must be paid for the keys to decrypt files, with the attackers in control of the ransom amount. Ransom demands can be for several thousand dollars and there is no way of decrypting files without paying the ransom.
While phishing emails are commonly used to direct individuals to websites where malware and ransomware is downloaded, this campaign involves malvertising – malicious advertisements on third-party ad networks that direct web visitors to malicious websites.
These adverts are displayed in ad blocks on legitimate websites, often high traffic websites. There have recently been several major malvertising campaigns that have seen malicious adverts displayed on some of the most popular adult websites, although any website that uses third-party ad blocks could potentially have malicious adverts displayed to visitors. In this case, the threat actors have used the PopCash ad network.
The Exorcist 2.0 ransomware operators are far from the only ransomware operators to use this method of infecting victims. This tactic has also been used by the operators of STOP ransomware, who similarly used the lure of fake software cracking tools to install their malware.
One of the ways that businesses can protect against this method of malware and ransomware delivery is to use a web filtering solution. A web filter can be used to carefully control the types of web content that can be accessed by employees. In addition to blocking access to web content that does not need to be accessed for work purposes, restrictions can be placed on the types of files that can be downloaded and attempts to visit websites known to be used for malicious purposes will be automatically blocked.
Businesses that implement WebTitan Cloud have precision control over the content their employees can access, whether they are working from the office, accessing the Internet from a coffee shop, or working from home. WebTitan is available on a free trial and can be implemented in minutes to protect your employees and their devices from malware, ransomware, and phishing attacks.
For further information on the benefits of web filtering and how WebTitan can greatly improve your security posture, call the WebTitan team today.