Tools / News / The FBI Called Free Online File Converters a 'Rampant' Ransomware Vector. Schools, Universities, and Government Bodies Are Now Banning Them.
Press

The FBI Called Free Online File Converters a 'Rampant' Ransomware Vector. Schools, Universities, and Government Bodies Are Now Banning Them.

· VaultTools

After an FBI advisory identified fake online file conversion sites as active malware delivery tools, independent researchers confirmed specific malicious domains and a wave of institutional bans followed. A February 2026 ransomware attack on a major US newspaper chain is suspected to trace back to one.

VaultTools · March 20, 2026

A glowing padlock on a dark circuit board, representing digital security and ransomware threats. Photo by Franck on Unsplash

Table of Contents


The FBI Advisory

On March 7, 2025, the FBI’s Denver field office issued a public advisory warning that free online file converter websites are being actively used to deliver malware and steal data from uploaded documents. The bureau described the problem as “rampant” and noted that the sites do not merely infect the downloader’s machine: they also scrape sensitive content from the files being converted, including Social Security numbers, banking information, cryptocurrency wallet credentials, and passwords stored in documents.

The advisory named no specific domains but described a consistent pattern: a site accepts a file for conversion, delivers a working converted output to avoid suspicion, and simultaneously executes malicious code or harvests file content server-side.

What Researchers Confirmed

BleepingComputer independently investigated the FBI’s claims and confirmed specific active domains operating the described scheme, including pdfixers.com and docu-flex.com. Submitted files were processed and returned correctly while malware was delivered alongside the result.

Malwarebytes identified additional active malicious converter sites: imageconvertors.com, convertitoremp3.it, convertisseurs-pdf.com, and convertscloud.com. These sites mimic the visual design of legitimate tools and rank in search results for common conversion queries, making them difficult for typical users to distinguish from reputable services.

The Institutional Ban Wave

Following the FBI advisory and independent confirmation, a wave of formal institutional warnings and outright bans began circulating through 2025 and into 2026.

MIT’s SHASS IT department published a direct advisory titled “Do NOT use Online File Conversion Websites,” instructing faculty and staff to avoid all cloud-based conversion tools for work documents. Derbyshire County Council’s Schools IT service in the UK published a detailed guidance document warning schools about the specific risks of free file converters and directing staff to approved local alternatives. Washington University in St. Louis issued similar guidance to its community.

In each case, the institutions cited both the malware delivery risk and the data exposure risk from files processed on third-party servers.

The Lee Enterprises Ransomware Attack

On February 3, 2026, Lee Enterprises, the US publisher operating 77 local and regional newspapers across 26 states, was hit by a ransomware attack that disrupted printing, distribution, and digital operations for weeks. The Qilin ransomware group later claimed responsibility and threatened to publish stolen data.

Security reporters covering the incident noted that a file converter tool was identified as the suspected initial access vector. Lee Enterprises disclosed in SEC filings that recovery costs reached approximately $2 million. The attack disrupted newsrooms across the country and delayed print editions in multiple states for an extended period.

Qilin has been one of the most active ransomware groups tracked through early 2026. Its suspected use of a file conversion site as an entry point follows the pattern the FBI described: an employee uploads a work document to what appears to be a utility site, and the session results in credential theft or a malware payload that provides persistent network access.

Why Uploading Files to Converters Creates This Exposure

The risk in cloud-based file conversion is structural. A user submits a file to a remote server. That server has full access to the file’s contents during processing, and depending on the service, retains it afterward. A malicious operator can read, copy, or exfiltrate file content without the user’s knowledge. A legitimate operator can be breached, and stored files become part of the breach.

Neither outcome requires the user to click a suspicious link or download an obvious executable. The upload itself is the exposure.

Browser-based conversion tools built on WebAssembly process files without any server involvement. The document is read from the user’s disk, converted inside the browser tab using compiled code, and saved back to disk. Nothing is transmitted to a remote server. There is no content for a malicious operator to harvest and no stored file for a breach to expose.

The institutional bans now spreading through schools, universities, and government bodies are formalizing what the architecture already makes clear: cloud-based file conversion and document privacy cannot coexist.


Sources