Artificial intelligence (AI) and small business tools have been abused as smokescreens to attack unsuspecting victims with ransomware.
In the masquerade campaign discovered by Cisco Talos, cybercriminals hid malware behind the software and installed packages that mimic leads from the leads of the leads of the monetization service Nova, the extremely popular chat GPT, and a package that mimics the powerful video tool of AI called Invideo AI.
As SMEs are rapidly adopting AI tools, a recent survey from the US Chamber of Commerce and strategic company Teneo reveals that 98% of SMEs already use at least one AI-driven product and 40% use generative AI.
According to researchers at Cisco Talos, there are two threats.
“Unsuspecting companies looking for AI solutions can be deceived to download counterfeit tools that have built-in malware,” Talos said. “This practice poses significant risks as it not only compromises sensitive business data and financial assets, but also undermines confidence in legitimate AI market solutions.”
In the first potential online attack, Talos discovered that cybercriminals created a fake website that was very similar to that of a legal company leading Nova's lead. The company helps companies lead their monetization through acquisitions, conversions and content creation. But rather than simply copying the look and feel of Nova's website, cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”
On malicious websites, users were asked to download Nova Lead AI for 12 months “free access”. If the user downloaded and installed fake software, the ransomware CyberLock was deployed instead. Talos researchers analyzed how Cyberlock moved across the network and obtained a note of ransom left by cybercriminals. In it, ransomware gangs mistakenly claimed their attacks were altruistic.
“We want to ensure that your payments will not be sent to us,” the ransomware gang said in the memo. “We'll go instead to support women and children affected by Palestine, Ukraine, Africa, Asia and other regions where injustice is a daily reality.”
The memo tells the victim to pay $50,000 in cryptocurrency. Ransomware campaigns are particularly dangerous as cybercriminals manipulate SEO practices to rank malicious websites near the top of relevant online searches. Called “SEO addiction,” this method is unfolded by scammers, hackers and shady websites.
In the second potential attack, Talos discovered that a software installer labeled “ChatGPT 4.0 Full Version – Premium.exe” actually hiding Ransomware Lucky_Gh0 $t. Interestingly, the files included in the installer also included Microsoft's legitimate open source AI tools. This is probably a repellent technique to drive away antivirus tools that inspect malware packages.
Lucky_gh0 $t's ransom notes did not include any particular dollar amounts, but cybercriminals had a completely different attitude to cyberlock's humanitarian suspicions.
“We're not a politically motivated group and we don't need anything but your money.”
In the final potential attack, Talos finds a new malware the team called “numero.” It's not officially in the form of ransomware, but Talos has discovered that once deployed, it makes the system “completely unusable.”
Talos has discovered that internal data in the malware employs the names of the products and organizations of the service, an AI-powered video generation service that can be used for marketing, content, and more.
Cybercriminals have long disguised malware under popular brands, but the advent of AI and the popularity of small businesses highlight the dangers small stores face to simply try to do business online. But there's help at hand.
How to protect small businesses from ransomware
As with all malware infections, the best defense against ransomware attacks is that no attacks occur in the first place. To ensure your business is secured from this existential threat, follow these steps:
- Blocks the general format of entries. Patch known vulnerabilities in software for the Internet to disable or enhance login credentials for remote work tools such as RDP ports and VPNs.
- Prevents intrusions and stops malicious encryption. Stop the threat early before infiltrating or infecting the endpoint. Always use on cybersecurity software that can prevent the exploits and malware used to provide ransomware.
- Create an offline offline backup for offsite. Keep backups offsite and offline, out of the reach of attackers. Test them regularly to ensure you can quickly restore essential business features.
- Don't attack twice. Once you've isolated the outbreak and stopped the initial attack, you'll need to remove all traces of attackers, malware, tools, and how to enter and avoid the attack again.
