Exorcist 2.0 ransomware finds victims through fake software crack sites

Malicious ads redirect users to fake software crack websites

Exorcist 2.0 ransomware are using ads to lure usersExorcist 2.0 ransomware are using malwertising.

The developers of Exorcist 2.0 ransomware are using malicious ads to lure victims into fake software crack sites that happily distribute their infection to users. After the installation, the victim's files on the computer become encrypted and criminals demand paying the ransom.

Cybersecurity research team Nao_sec[1] showed[2] how malvertising is redirecting users from legitimate sites to a fake software crack site. These websites look very attractive to some users due to the proposed option to use services for free.

Fraudulent websites try to lure victims by offering download links for some useful but illegal programs. They are showing programs that should break copyright protection on paid software so that the user could use it for free. But of course, it is a big lie and instead of the promised program, the victim's computer gets compromised with Exorcist 2.0 ransomware.

Anti-malware software does not help

The so-called activators are prevalent in websites that are used for malware delivery. For example, one such site offers a fake “Windows 10 Activator 2020”. This tool should let you activate Windows 10 OS without paying anything. When the user tries to download the archive, installed security software does not detect the threat and ransomware[3] successfully enters the victim's device. The anti-malware programs, Google Safe Browsing or Microsoft SmartScreen can't find a threat because the archive contains a password-protected zip file and a text file with the archive's password.

But by running the setup program victim will see an unpleasant surprise. Instead of the Windows activator installation process, all files in the computer become encrypted.[4] The victim will no longer be able to open important files: photos, videos, documents, etc. And, like any other ransomware, Exorcist 2.0 ransomware will leave a ransom note in these encrypted folders. The text is typical: cybercriminals says that if the victim wants to decrypt all files, the only possible solution is to pay the ransom through the Tor payment site.

Cooperation with untrustworthy cybercriminals is not the best option

When victims decide to visit the Tor payment site of Exorcist 2.0 ransomware, hackers let them decrypt one file for free. Also, users can find the information about how big the ransom is and can try to talk with criminals behind this ransomware. So far, there are known cases where hackers demand between $250 and $10,000, but there are probably much higher amounts depending on how many files have been encrypted, although other criteria can be used as well.

But there is no guarantee that the victim will recover the files after paying the ransom. In some cases, hackers take the money and then disappear without a trace. Experts also say that victims should not cooperate with criminals and should choose a different path.[5] The best solution to this problem is having backups and deleting ransomware with a reliable antivirus program.

Moreover, it is very likely that the number of victims of the Exorcist 2.0 ransomware will increase if this serious threat continues to spread through fake software crack sites. All users should be extremely careful on the internet and stop trying to use illegal cracks for commercial software.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

Julie Splinters is the News Editor of 2-spyware. Her bachelor was English Philology.

Contact Julie Splinters
About the company Esolutions