Cyber Incident Victim: The Pirate Bay
Date:
Apr 2016
Location:
Australia
Summary
A malvertising campaign on a prominent torrent site delivered ransomware via the Magnitude exploit kit during a popular TV series premiere. Attackers purchased ads serving pop-unders that silently redirected visitors to exploit unpatched vulnerabilities in Adobe Flash Player and Microsoft Silverlight, infecting systems with Cerber ransomware without requiring user interaction. The automated attacks primarily targeted users lacking script blockers or updated software, with high-risk exposure noted among audiences in specific regions due to elevated piracy rates of the targeted content. Infections resulted in irreversible file encryption, leaving victims reliant on backups or uncertain ransom payments for potential recovery. This incident followed broader patterns of malvertising leveraging exploit kits to distribute ransomware through compromised ad networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around April 24, 2016, during the premiere of *Game of Thrones* season six, The Pirate Bay distributed malicious advertisements (malvertising) that delivered Cerber ransomware to visitors. Attackers purchased ad space on the torrent site and used pop-under ads to silently redirect users to the Magnitude exploit kit without requiring any interaction. The exploit kit profiled visitors' systems and targeted unpatched vulnerabilities in Adobe Flash Player (CVE-2015-7645, CVE-2015-8446, CVE-2015-8651) and Microsoft Silverlight (CVE-2016-0034) to execute drive-by attacks. Successful exploits resulted in the automatic installation of Cerber ransomware, which encrypted victims' files. MalwareBytes researcher Jerome Segura confirmed the campaign specifically targeted users searching for the episode "*The Red Woman*," noting that the attack occurred on the first search attempt for visitors without script blockers.
The incident coincided with over one million BitTorrent downloads of the premiere episode, with Australian users representing 12.5% of downloads and facing heightened risk due to their disproportionate piracy rates. NSFOCUS IB analyst Stephen Gates emphasized The Pirate Bay's history of hosting malvertising campaigns and warned that unpatched systems were vulnerable regardless of browsing habits. Cerber infections rendered files irrecoverable except through backups or ransom payments, though decryption keys were not guaranteed after payment. The attack followed a pattern of similar malvertising campaigns linked to the Angler exploit kit and AdsTerra ad network, with Segura documenting approximately 400 prior incidents. No mitigation efforts by The Pirate Bay or law enforcement were reported in the immediate aftermath.