Taking advantage of legitimate sites for command-and-control (C&C) purposes is typically done by most malware to avoid rousing suspicion from their targets. While most ransomware directly sends the gathered information to their designated C&C servers, there are some variants that slightly differ. CuteRansomware, for instance, uses Google Docs to pass information from the infected system to the attackers.
One of the latest ransomware families, CryLocker (detected as RANSOM_MILICRY.A), does the same by taking advantage of Imgur, a free online image hosting site that allows users to upload and share photos to their contacts. During our monitoring of activities related to exploit kits, we spotted both Rig and Sundown distributing this threat.