PopCash malvertising is redirecting users from legitimate sites to a fake software crack site. The crack site pretends to offer download links for programs that break copyright protection on commercial software so that it can be used for free. Using fake software cracks to distribute the malware is the same tactic used by the STOP Ransomware actors, which led STOP to be the most widespread currently active ransomware. In the Exorcist 2.0 ransom notes, victims can get free decryption of one file, a way to chat with the threat actors, and the ransom amount that they need to pay.
Source: https://www.bleepingcomputer.com/news/security/fake-software-crack-sites-used-to-push-exorcist-20-ransomware/