Fallout Exploit Kit Pushing the SAVEfiles Ransomware

Last week the Fallout Exploit kit was distributing the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles, for lack of a better name, through malvertising campaigns.

This ransomware was first discovered by Michael Gillespie, but it was not known how it was being distributed. Today, exploit kit expert Kafeine, discovered it being distributed in malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. 

Fiddler showing redirect chains
Fiddler showing malvertising chains

As you can see, the malvertisement will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit.

The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victims computer. The connection to is the ransomware connecting back to it’s Command & Control server to receive an encryption key.

Before the victim knows it, their files will be encrypted with the .SAVEfiles extension as shown below. For example, a file named 1.doc will be encrypted and renamed to 1.doc.SAVEfiles.

While encrypting the computer, the ransomware will also create ransom notes in each folder called !!!SAVE__FILES__INFO!!!.txt. These ransom notes will tell the victim to contact the attackers at [email protected] or [email protected] for payment instructions.

SAVEfiles Ransom Note
SAVEfiles Ransom Note

The Fallout Exploit kit

The Fallout Exploit kit is a relatively new kit that was discovered in August 2018 being used in malvertising campaigns. Kafeine told internetnewsblog that Fallout is an updated version of Nuclear Pack and is being sold on underground forums.

Attackers use this exploit kit by hacking into sites or generating new ones that they then host the exploit kit scripts on. Attackers then use malvertising to redirect users to the sites where the code is located.

Fallout attempts to exploit vulnerabilities in VBScript and Flash Player on visitors machines. All a victim has to do is be redirected to or visit a site that is running the exploit kit, and if they are vulnerable, will have malware automatically installed onto their computer.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top