It looks as if computer users are going to need some help from Mel Gibson as many people are finding their machines under ransom. Yeah, you read that right….ransom. According to a recent report from Cisco Systems, a number of malicious advertisements have begun popping up on some very big name websites, including Disney, Facebook and The Guardian. These ads, once clicked, lead users to malware that encrypts the files of your computer until a ransom is paid.

This discovery comes on the heels of tech companies and law enforcement agencies joining forces in a larger operation designed to shut down a botnet that was responsible for delivering online banking malware and this new type of malware, which is going under the title of “ransomware”, which has been discovered to be a highly profitable scam that has seen an influx over the past year. The investigation by Cisco uncovered a technically complex and highly effective way of infecting a large number of computers with this “ransomware”.

According to former Secret Service Agent and current Technical Lead for Threat Research and Analysis at Cisco Levi Gundert in a recent phone interview, this new malware “really is insidious.” Cisco has a product known as Cloud Web Security (CWS) that monitors the web surfing of its customers and reports if they are browsing suspected malicious domains. Cloud Web Security monitors billions of webpage requests every single day, according to Gundert, who also noted that the company had noticed that it was blocking requests to 9- domains, mainly to WordPress, for over 17% of its Cloud Web Security customers.

A further investigation by Cisco discovered that many of the CWS Users were ending up on those domains after viewing advertisements on high-traffic domains like “apps.facebook.com”, “awkwardfamilyphotos.com”, “theguardian.co.uk” and “go.com” (a Disney website) among others. However, certain advertisements on these websites had been tampered with and, if clicked, would redirect users to one of the 90 “ransomware” domains.

This type of malware attack is known as “malvertising” (they’re so creative with these names) and has been a problem for a long time. Advertising networks have since taken steps to detect malicious advertisements placed on their networks, though these security checks aren’t omnipotent. Every so often, bad advertisements weasel their way into websites that have signed up with the advertising networks or partnered affiliates with the websites themselves being none the wiser that they are being abused.

“It goes to show that malvertising is a real problem. People expect when they go to a Tier 1 website that it is a trustworthy place to visit, but because there are so many third-party external links, that’s not really true,” Gundert added. Gundert went on to say that the 90 domains that the malicious advertisements funneled internet traffic to had also been hacked. For the WordPress domains it appears, according to Gundert, that the hackers used brute-force attacks (guessing a user’s login information) to gain access. Once inside, an exploit kit known as a Rig was inserted, attacking peoples’ computers.

The Rig itself checks if users are running an unpatched version of Flash, Java or Silverlight and then “instantly exploits” you if you’re not patched. Once exploited, the ransomware, known as Cryptowall, is installed. This malware encrypts all of your files and demands a ransom for them to be decrypted. To make matters worse, the website that is used to collect the ransom money is a hidden website that uses The Onion Router network.

In order to get to a website hidden on The Onion Router a user must first have The Onion Router installed. Cryptowall helpfully provides users with instructions on how to install The Onion Router and reminds them that the longer they wait to pay the ransom the larger the ransom becomes. Due to the use of The Onion Router and the complexity of the attack chain Cisco has been unable to pin the attack on a single group.

Gundert noted that the possibility of several groups or people with different skills, including malvertising, traffic redirection, exploit writing and ransomware campaigns, working together is a likely scenario. “You could have a threat actor putting together all of these pieces on their own, but there are so many different specialties involved in this attack chain,” Gundert adds.

Until the perps can be found it’s probably best not to click on any ads. As a general rule of thumb it’s probably best to never click on random internet ads but sometimes people just can’t help themselves.