Delaware, USA – September 17, 2018 – Appeared in August 2018, Fallout Exploit Kit started spreading new ransomware strain through malvertising campaigns. Ransomware researcher Michael Gillespie detected the beginning of the campaign, and Kafeine discovered the way in which malware gets on the victims’ computers. Prior to the last week, Fallout Exploit Kit distributed GandCrab Ransomware, and researchers from FireEye published the detailed analysis of the EK. Attackers compromise legitimate websites and host the Fallout Exploit Kit, then they use malvertising and redirect chains to lure users to the malicious pages. The Exploit Kit analyses the user browser profile and exploits VBScript vulnerability (CVE-2018-8174) to download and install the SAVEfiles ransomware.
Fallout is the modified Nuclear Pack EK, and any attacker can buy it on underground forums. The primary targets of the campaigns are located in the Middle East, Southern Europe, Japan, Korea and other countries in the Asia Pacific region. Ransomware infection continues to remain a severe threat to the organizations. This weekend, the Bristol Airport in the UK became a victim of unidentified Ransomware, but the infection did not affect the critical systems, and no flight delays have been reported. To detect Ransomware attacks at early stages you can use Ransomware Hunter SIEM rule pack, which notifies SOC personnel of such attacks at all stages of Cyber Kill Chain: https://my.socprime.com/en/integrations/ransomware-hunter