Exorcist 2.0 ransomware misdirects users to proxy sites for malware delivery
Image credit: Pixabay

Ransomware group Exorcist 2.0 is constantly confounding internet users by broadcasting malicious advertising on proxy websites. These proxy websites are built to distribute the malware into target computers.

An organization called PopCash malvertising is directing users from legitimate sites to fake malware sites.

Specifically, the fake sites hold hyperlinks that facilitate free downloads of paid software. Actually, this amounts to copyright infringement. One such shady website hosted a link for the free activation of a 2020 version of Windows 10.

No (holy water) malware security can stop this Exorcist 2.0

Additionally, hackers have devised a way to get around Google’s malware security.

Once users download the files from the shady websites, they get access to a ‘zip’ file that comes with password protection. It is necessary to execute this file in order to get the software for free.

Users also receive the password along with the downloaded files. Once the zip files begin downloading using the allotted password, it becomes impossible for Google’s malware security to protect the target computer.

Once the download is complete and the setup program is run, all user files are encrypted. These files have distinguishable extensions that are tell-tale signs of a cyberattack. The malware uses an encryption algorithm that appends the files with random extensions, mostly consisting of five random alphabets.

After the encryption process is complete, it creates a file of “HTA” extension, which when clicked opens a ransom note. The Exorcist 2.0 ransomware also creates a separate “key file” for each of the encrypted files.

The encrypted files also hold links to a Tor payments site, which has the guidelines on how to make the ransom payments. The hackers clearly identify themselves as ‘Exorcist 2.0’ in the payments note.

To date, Exorcist 2.0 has demanded a ransom between the brackets of $250 – $10,000. However, it is possible that the group is demanding higher ransom from more valuable targets.

LEAVE A REPLY

Please enter your comment!
Please enter your name here