Malicious advertising redirection to fraudulent software cracking websites is causing unsuspecting end-users to become victims of the Exorcist 2.0 ransomware variant. This same delivery technique has also recently been used by the STOP ransomware operator. The Threat Actors behind Exorcist 2.0 are forcing the victims of the strain to learn a hard lesson. Beware of anything you download from the internet because the stakes are high, the threats are real, and the outcome may haunt you and your organization.

When a user navigates to the website hxxps://, they are presented with the option to install a tool to activate a copy of Windows 10 for free.

Unless the source is legitimate and known, free software in general should be a giant red flag. Not all suspicious free software is as malicious as this example. A lot of suspicious free software will just install unwanted adware that collects data from the endpoint and change browser settings like the default search engine.

After downloading “Windows 10 Activator”, a zip file containing the following files will be seen on the system:

The file contains a loader that when executed, will begin a series of malicious actions. The zip file is password protected as a way of preventing security software from detecting the malicious code. The user will need to open the file File_Password.txt to retrieve the password needed to extract the contents of the zip file.

After entering the password and extracting the contents, the user will see the file setup_install.exe in the folder.

Executing setup_install.exe will kick off a series of events that eventually lead to an infection of Exorcist 2.0 ransomware. The persistence mechanism relies on creating a program in the startup folder and an auto-run registry key. To evade system defenses, the malicious program will attempt to inject malicious code into legitimate running processes. To potentially disrupt any forensic analysis, the malicious code performs the technique of timestamping that modifies the timestamp of file creation and file modification meta-data. The program also contains the functionality to capture user-input data, data stored in the clipboard, cryptocurrency wallet data, and data stored in browsers such as passwords and history. Overall, the malicious processes are extremely evasive and goes to great lengths to avoid forensic analysis.


URL: hxxps://

Serving IP Address: 104.27.174[.]236

Malicious Loader File: setup_install.exe

SHA1 Hash Value: 7599749835062dbab57bcac0149440f4d508e70e

Contacted Malicious Domain: nffiiload06[.]top

Contacted Malicious IP Address:

SpearTip’s ShadowSpear® Platform was able to detect and prevent this sample of Exorcist 2.0 ransomware, and it didn’t encrypt our analysis system. This sample was extremely evasive and was observed querying a sandbox artifact and if this artifact is found, the malware will kill its processes and not proceed with infection. This mechanism is intended to prevent malware analysis so security tool vendors cannot study its actions and take steps to harden their toolset. SpearTip’s ShadowSpear® Platform simulates the sandbox artifact and once Exorcist 2.0 ransomware detects this, it stops its malicious chain of events and doesn’t infect the system. ShadowSpear®’s Memory Injection Prevention module would also have stepped in to prevent Exorcist 2.0 had the sandbox artifact not stopped the malware’s actions.

Network defenders can apply a handful of strategies to avoid becoming infected with Exorcist 2.0 ransomware delivered through the attack vector highlighted in this example. With all the interesting and powerful security tools available these days, one of the most effective and overlooked strategies is empowering non-technical end-users with the basic knowledge needed to avoid becoming the victim of a cyberattack. User awareness training and phishing simulations can drastically improve an organization’s security posture. More times than not, the weakest link in information security is the human element. As always, a reliable EDR tool will be an additional layer of security to protect your network just in case your users don’t follow best practices. SpearTip also recommends ensuring a SIEM tool is deployed that collects and aggregates logs from critical systems and network devices. Oftentimes, malicious activity can be spotted through a SIEM tool first if the Threat Actors haven’t dropped malicious files within your network first. Having a security team responding to alerts on a 24/7 basis will also minimize any potential impact of ransomware.

SpearTip is constantly watching for new malware and manipulative programs. Our 24/7 Security Operations Center (SOC) is fully staffed with cybersecurity professionals to monitor and protect your environment. Not only are our cybersecurity teammates continuously preventing cyber attacks, but also able to deploy our proprietary tool, ShadowSpear® in an environment before or after an attack.