steven36 Posted September 14, 2018 Share Posted September 14, 2018 Last week the Fallout Exploit kit was distributing the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles, for lack of a better name, through malvertising campaigns. This malvertising campaign was first discovered by exploit kit expert Kafeine, who has told BleepingComputer that IP addresses in Japan, France, and other locations have been targeted. Below you can see a malvertising redirect chain that Kafeine recorded in Fiddler. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victims computer. The connection to http://xxxart.pp.ua/1/get.php is the ransomware connecting back to it's Command & Control server to receive an encryption key. Before the victim knows it, their files will be encrypted with the .SAVEfiles extension as shown below. For example, a file named 1.doc will be encrypted and renamed to 1.doc.SAVEfiles. While encrypting the computer, the ransomware will also create ransom notes in each folder called !!!SAVE__FILES__INFO!!!.txt. These ransom notes will tell the victim to contact the attackers at [email protected] or [email protected] for payment instructions. SAVEfiles Ransom Note The Fallout Exploit kit The Fallout Exploit kit is a relatively new kit that was discovered in August 2018 being used in malvertising campaigns. Kafeine told BleepingComputer that Fallout is an updated version of Nuclear Pack and is being sold on underground forums. Attackers use this exploit kit by hacking into sites or generating new ones that they then host the exploit kit scripts on. Attackers then use malvertising to redirect users to the sites where the code is located. Fallout exploit kit script (Source: nao-sec.org) Fallout attempts to exploit vulnerabilities in VBScript and Flash Player on visitors machines. All a victim has to do is be redirected to or visit a site that is running the exploit kit, and if they are vulnerable, will have malware automatically installed onto their computer. Source Link to comment Share on other sites More sharing options...
straycat19 Posted September 15, 2018 Share Posted September 15, 2018 It is so easy to protect a system from malware/ransomware like this and without installing any AV or Anti malware software that I am surprised some enterprising elementary school student hasn't come up with a company to do it. Of course there wouldn't be much money in it like there is in selling AV and Antimalware software. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.