Last week the Fallout Exploit kit was distributing the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles, for lack of a better name, through malvertising campaigns.

This ransomware was first discovered by Michael Gillespie, but it was not known how it was being distributed. Today, exploit kit expert Kafeine, discovered it being distributed in malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. 

Below you can see a malvertising redirect chain that Kafeine recorded in Fiddler.

Fiddler showing redirect chains
Fiddler showing malvertising chains

As you can see, the malvertisement will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit.

The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victims computer. The connection to is the ransomware connecting back to it's Command & Control server to receive an encryption key.

Before the victim knows it, their files will be encrypted with the .SAVEfiles extension as shown below. For example, a file named 1.doc will be encrypted and renamed to 1.doc.SAVEfiles.

While encrypting the computer, the ransomware will also create ransom notes in each folder called !!!SAVE__FILES__INFO!!!.txt. These ransom notes will tell the victim to contact the attackers at or for payment instructions.

SAVEfiles Ransom Note
SAVEfiles Ransom Note

The Fallout Exploit kit

The Fallout Exploit kit is a relatively new kit that was discovered in August 2018 being used in malvertising campaigns. Kafeine told BleepingComputer that Fallout is an updated version of Nuclear Pack and is being sold on underground forums.

Attackers use this exploit kit by hacking into sites or generating new ones that they then host the exploit kit scripts on. Attackers then use malvertising to redirect users to the sites where the code is located.

Fallout exploit kit script
Fallout exploit kit script (Source:

Fallout attempts to exploit vulnerabilities in VBScript and Flash Player on visitors machines. All a victim has to do is be redirected to or visit a site that is running the exploit kit, and if they are vulnerable, will have malware automatically installed onto their computer.

Related Articles:

Fallout Exploit Kit Now Installing the Kraken Cryptor Ransomware

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs

HookAds Malvertising Installing Malware via the Fallout Exploit Kit

The Week in Ransomware - October 5th 2018 - Restaurant Shutdowns & Exploit Kits

Microsoft Patches Windows Zero-Day Exploited in Cyber Attacks