Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

Beware of what you click on.

An incredibly complex malware virus masquerading as a legitimate ad network and traced to Australia has infected thousands of computers by directing people clicking on the sites to malicious ones. Once you click on the sites, the malware, sequestered in a Flash or Adobe Reader file, then encrypts all the files on your machine.

“The only way to decrypt your files is to pay a ransom. When you pay it, you’re given a key that decrypts your files. Usually the ransom is $500, which you pay with Bitcoins. It’s pretty nasty,” said Malwarebytes lead researcher Jerome Segura, who spent weeks unlocking the scam.

The scam is unusual. Cyber criminals using ad network websites are relatively rare and just starting to come onto the radar of security researchers, Segura said.


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

Segura, a noted cyber expert, said the fraudulent website in question is While traced to Australia, the URL is hidden behind Cloudflare, which makes tracking it through ISPs nearly impossible. The ads have also appeared on and, a popular porn site.

The researcher suspects the site is being run by cyber criminals somewhere in Russia. The thugs approach legitimate highly trafficked sites and offer to display their ads, but according to Malwarebytes, the real thrust is to get malware onto your machine.

A chart of “if” statements that Segura said is suspicious

Above: A chart of “if” statements that Segura said is suspicious

Image Credit: Malwarebytes

Studying some of the ads on the suspect sites, Segura found that victims were sent to a webpage that hosted an “exploit kit known as RIG EK, which exploits Flash while simultaneously installing a Trojan Horse.”

Segura and his team found the site while running a “honeypot” operation, where researchers regularly browse sites running on old Flash and Javascript. By studying them, the team often finds sites that have either been compromised by a virus or are the culprits spreading it. The scam was discovered a month ago.

At first, Segura thought had been a victim itself. He reached out via email to system administrators there, who replied they had been affected by the Open SSL ‘Heartbleed’ virus that was discovered in April. Segura noticed their first language wasn’t English and said he initially believed their response.

But he soon discovered the domain hidden behind Cloudflare, which masks IP addresses and makes them hard to trace.

“The site was using text that had been cut and pasted from Wikipedia. I went back and this time around started to dig deeper. I studied the Flash advertisements. It was very strange,” Segura said.

Segura’s blogpost on the virus goes live Friday. You can read it here.

According to Malwarebytes, there are certain strings and functions in Flash that can be potentially dangerous. These include Loader, Externallnterface, NavigatetoURL, currentDomain, and loadBytes. Segura said that Flash ads are “actually applications which can perform certain undesired actions.”

“One of them is redirecting the browser to a potentially harmful site.”

Shielding yourself from this scam is relatively straightforward, Segura noted. Disabling Flash or tools like NoScript is advisable. A downside is that disabling both can impede your browsing experience. And, of course, Segura would recommend installing the latest version of Malwarebytes.

You’ve been warned.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.