Security Experts:

Blackhole Exploit Kit Holding Systems Hostage Over Copyright Violations

The Blackhole exploit kit has moved its ransom-based payloads forward from child porn and terrorism to copyright violations. The new theme from the crime kit is professionally developed and is mostly targeting users in Europe.

The changeup from Blackhole was discovered by researchers at, the Swiss security blog. Briefly, the Blackhole exploit kit was launched in 2010 by developers in Russia. The kit targets various vulnerabilities, from Windows only, to Adobe’s Flash and PDF formats, and Java.

Blackhole Exploit KitOnce the attack is successful, any number of payloads can be delivered from Rogue Anti-Virus, to Ransomware. Earlier this year, version 1.2.2 was released, and offered as a SaaS solution, or annual / semi-annual license. ($1500 annually, SaaS fees vary depending on the length of usage; $50 for 24-hours, up to $200 for seven days.)

The latest campaign holds the compromised system hostage. The contents of the system are encrypted, and the victim is accused of copyright infringement. In order to decrypt the system, the victim is ordered to pay a fine (roughly $50 USD) using a pre-paid money service. The warning and infringement notices are written in the local language depending on where the victim resides, and appear to be professionally written and translated.

Currently, the campaign is targeting users in Switzerland, Germany, Austria, the U.K., France, and Netherlands. In addition to the Ransomware component, the attack also installs Aldi Bot on the compromised system, which is a family of malware that targets financial information, such as banking credentials.

More information, including example screenshots of active infections, can be seen here.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.