The cybercriminals behind the Exorcist 2.0 ransomware are now using malicious advertising redirects to trick victims into downloading their malware. According to security researcher Nao_Sec, PopCash malvertising is redirecting users from legitimate links to a fake software crack site. The crack site alleges to offer pirated versions of software for free—for example, one such offer is a ‘Windows 10 Activator 2020’ that will allow someone to use Windows 10 without buying a license from Microsoft. If a person downloads the file from the site, it will contain an archive file that is encrypted, along with a text file that contains a password to the archive. By using a password-protected archive, it allows the download to occur without triggering anti-virus software. Once the setup is running, victims will find that their files are encrypted instead of installing the Windows 10 activator. Contained in the encrypted folder is a ransom note that explains how the victim can pay the ransom through Tor sites. From the ransom notes seen by BleepingComputer, the demands range from $250 to as high as $10,000 depending on the number of files encrypted or other criteria.
Analyst Notes
If someone wishes to use particular software, the safest way of using it is to download the software directly from an authorized and reputable reseller and pay the software fee. Software crackers that offer free use of any software have a high probability of containing malicious scripts and should not be trusted in any way.
Source Article: https://www.bleepingcomputer.com/news/security/fake-software-crack-sites-used-to-push-exorcist-20-ransomware/