Update (05/14): The Pathé website is back online. However, the infection is still there and it is again redirecting visitors to Angler and CryptXXX.

Fiddler

Update (05/13): 

Pathé has acknowledged the issue and put their site in maintenance mode in order to fix it.

pathe

The other good news is that there is a new version of the decrypter tool for CryptXXX 2.x. We have tested it and it works well.

– –

Pathé, a major French film production and distribution company is serving ransomware via one of its websites, pathe[.]fr. The film company has a rich history that predates Universal Studios and Paramount Pictures, and is famous for inventing the newsreel in 1908.

We detected that their server hosting pathe[.]fr was compromised with malicious code embedded inside of its pages, responsible for automatically redirecting unsuspecting visitors to the Angler exploit kit.

Angler serves its own ransomware, dubbed CryptXXX which recently received an update to defeat an existing decryption tool that could once restore files to their original non-encrypted state. In addition, the ransomware now prevents the user from using their computer at all, by locking their desktop with a fullscreen ransom note.

Flow

Traffic flow:

Fiddler

Malwarebytes Anti-Exploit stops this attack:

MBAE_

We have alerted the film company but recommend people to avoid visiting their site at the moment and be sure to run exploit mitigation software to defend against drive-by download attacks.