Website For French Cinema Chain Gets Hacked, Serves CryptXXX Ransomware (UPDATED)

Website For French Cinema Chain Gets Hacked, Serves CryptXXX Ransomware (UPDATED)

Update (05/14): The Pathé website is back online. However, the infection is still there and it is again redirecting visitors to Angler and CryptXXX.


Update (05/13): 

Pathé has acknowledged the issue and put their site in maintenance mode in order to fix it.


The other good news is that there is a new version of the decrypter tool for CryptXXX 2.x. We have tested it and it works well.

– –

Pathé, a major French film production and distribution company is serving ransomware via one of its websites, pathe[.]fr. The film company has a rich history that predates Universal Studios and Paramount Pictures, and is famous for inventing the newsreel in 1908.

We detected that their server hosting pathe[.]fr was compromised with malicious code embedded inside of its pages, responsible for automatically redirecting unsuspecting visitors to the Angler exploit kit.

Angler serves its own ransomware, dubbed CryptXXX which recently received an update to defeat an existing decryption tool that could once restore files to their original non-encrypted state. In addition, the ransomware now prevents the user from using their computer at all, by locking their desktop with a fullscreen ransom note.


Traffic flow:


Malwarebytes Anti-Exploit stops this attack:


We have alerted the film company but recommend people to avoid visiting their site at the moment and be sure to run exploit mitigation software to defend against drive-by download attacks.


Jérôme Segura

Principal Threat Researcher