The Rise of Fake AI Installers: A Dangerous New Ransomware Threat
In today’s digital landscape, the allure of artificial intelligence tools is growing, but so are the risks associated with them. Recent reports indicate that cybercriminals are using fake installers for well-known AI tools like OpenAI’s ChatGPT and InVideo AI to spread malware, including ransomware.
Understanding the Threat: CyberLock and Lucky_Gh0$t
According to research from Cisco Talos, two distinct ransomware families are at the forefront of this campaign. The CyberLock ransomware utilizes PowerShell to encrypt vital files on an affected device. This strain is specifically engineered to target particular file types and directories, wreaking havoc on user data. The second variant, Lucky_Gh0$t, is categorized as another edition of the Yashma ransomware. It modifies its predecessor only slightly while continuing to pose significant risks to businesses and individuals.
Impact of Numero Malware
Another concerning development is the introduction of a new form of destructive malware known as Numero. Unlike typical ransomware, which primarily focuses on encryption, Numero compromises the graphical user interface (GUI) of Windows systems. This manipulation can render a computer essentially unusable for the victim, blocking access to critical functionality.
Targeting B2B Users
The cybersecurity landscape shows that professionals in business-to-business (B2B) sales and marketing sectors are becoming prime targets for these attacks. These groups frequently utilize AI tools for enhancing their operations, making them attractive prey for threat actors.
One example of a malicious site that lures victims is novaleadsai.com. This site masquerades as a lead monetization platform, using search engine optimization (SEO) techniques to artificially inflate its visibility. Users are drawn in with the promise of a one-year free trial, only to end up downloading harmful software disguised in a ZIP archive.
Unpacking the Fake Installer Strategy
The fake installer labeled NovaLeadsAI.exe acts as a loader, deploying the CyberLock ransomware once executed. After being installed, it seeks administrative privileges to encrypt files across multiple drives, coercing victims into paying a ransom—a staggering $50,000 in Monero—through a ransom note that strikingly misuses the plight of victims in global conflicts to justify its demands.
The Mechanism of Attack
The CyberLock ransomware exhibits aggressive tactics, such as escalating privileges to re-run itself with administrative rights. It targets files on partitions structured as "C:\," "D:\," and "E:\" that match specific extensions. Upon encryption, a ransom note is delivered, demanding payment within three days.
Additionally, this note appeals to victims’ emotions by asserting that the ransom will go toward aiding children and vulnerable populations in regions affected by conflict, such as Palestine and Ukraine—a manipulative twist that makes the already harrowing situation even more compelling.
The Spread of Lucky_Gh0$t Ransomware
Upon investigation, Talos also revealed that Lucky_Gh0$t is being distributed via a fake installer that claims to be an upgraded version of ChatGPT. This installer includes malicious executable files disguised with benign names, cueing release of the ransomware payload immediately upon execution.
This version of ransomware skews its approach by targeting smaller files—those under 1.2GB—to encrypt them while deleting volume shadow copies to thwart data recovery efforts. Victims are instructed to contact the attackers through encrypted communication services for decryption solutions.
Sneaky Tactics: Numero Malware in Action
Another area of concern lies in the fraudulent installer for InVideo AI, which deploys the Numero malware. This malicious software operates as a dropper, introducing a Windows batch file and a Visual Basic Script, continuously rerunning itself to ensure persistence on the infected system.
The embedded Numero executable fundamentally alters system usability by overwriting desktop elements with a numerical string, showcasing a clear intent to disrupt standard operations.
The Malvertising Campaign and Broader Implications
These cyber threats occur alongside broader malvertising campaigns that harvest user data through counterfeit ads on platforms like Facebook and LinkedIn. As detailed by Google-owned Mandiant, these are designed to redirect users to fake websites imitating real AI tools, further amplifying the risks associated with engaging with dubious online content.
The Growing AI Tool Threat
The usage of AI tools isn’t limited to professionals in tech and design; virtually anyone could fall victim to these scams. The façade of legitimacy from seemingly innocuous ads makes it crucial for users to remain vigilant and cautious.
As more individuals seek to leverage AI technologies, the risk of encountering these fake installers and their associated malware increases dramatically. It serves as a stark reminder of the importance of security awareness in an ever-evolving digital domain.
