The cybercriminals behind the Exorcist 2.0 ransomware are now using malicious advertising redirects to trick victims into downloading their malware. According to security researcher Nao_Sec, PopCash malvertising is redirecting users from legitimate links to a fake software crack site. The crack site alleges to offer pirated versions of software for free—for example, one such offer is a ‘Windows 10 Activator 2020’ that will allow someone to use Windows 10 without buying a license from Microsoft. If a person downloads the file from the site, it will contain an archive file that is encrypted, along with a text file that contains a password to the archive. By using a password-protected archive, it allows the download to occur without triggering anti-virus software. Once the setup is running, victims will find that their files are encrypted instead of installing the Windows 10 activator. Contained in the encrypted folder is a ransom note that explains how the victim can pay the ransom through Tor sites. From the ransom notes seen by BleepingComputer, the demands range from $250 to as high as $10,000 depending on the number of files encrypted or other criteria.