The site now includes a malicious link that infects the computers of anyone visiting , Arctos contends . Palani Bala , Arctos ' CTO , claims that HPCL 's site was compromised by a series of attacks by the pseudo-Darkleech campaign , which exposes users to Nemucod malware that , in turn , downloads Cerber ransomware onto their machines . Darkleech is a long-running campaign that uses exploit kits to deliver malware . The executable downloaded logs delivered by exploit kits were analyzed through a behavior analysis engine , which identified the executable file as Cerber ransomware based on behavior classification , Bala says . Landing page deobfuscated by Arctos Ateles engine . Source : Arctos Threat Research Co. Bala claims the attackers run automated bots that look for vulnerable sites and then tamper with them by adding additional content that delivers malware to visitors ' computers . Experts say hackers using Cerber ransomware usually demand Attack.Ransom $ 1,000 in bitcoin from infected users . Cerber ransomware and its encryption components are updated daily on the site , he adds . First appearing in March 2016 , Cerber often contains an audio file with a ransom message . The ransomware largely spreads via spear-phishing campaigns Attack.Phishing , security experts say . Arctos suspects Vulnerability-related.DiscoverVulnerability the HPCL attackers ' bot might have exploited Vulnerability-related.DiscoverVulnerability vulnerabilities in an old Apache web-server or any additional services/plug-ins running in the server , Bala says . He recommends that HPCL 's webserver infrastructure perimeter be protected around the clock by advanced security monitoring solutions to detect such compromises . In the meantime , it 's time CERT-In made a recommendation to HPCL and others on how to avoid infections .