AI Malware Is Here: New Report Shows How Fake AI Tools Are Spreading Ransomware
a year ago
- #AI-threats
- #ransomware
- #cybersecurity
- Cisco Talos discovered new threats including CyberLock ransomware, Lucky_Gh0$t ransomware, and Numero malware, all disguised as AI tool installers.
- CyberLock ransomware, developed in PowerShell, encrypts files and demands ransom, falsely claiming payments will go to humanitarian aid.
- Lucky_Gh0$t ransomware is a variant of Yashma ransomware, targeting files under 1.2GB and exhibiting destructive behavior for larger files.
- Numero malware manipulates Windows GUI components, rendering systems unusable, and is distributed as a fake AI video creation tool.
- Threat actors use SEO-poisoning and platforms like Telegram to distribute fraudulent AI tool installers, targeting businesses in B2B sales, tech, and marketing sectors.
- CyberLock ransomware uses a .NET loader, elevates privileges, and employs AES encryption, appending '.cyberlock' to encrypted files.
- Lucky_Gh0$t ransomware is distributed via a fake ChatGPT installer, includes legitimate Microsoft AI tools to evade detection, and uses RSA-encrypted AES keys.
- Numero malware evades analysis by checking for debuggers, manipulates desktop windows, and corrupts them with numeric strings.
- Cisco provides multiple security solutions to detect and block these threats, including Secure Endpoint, Secure Email, and Secure Firewall.
- Open-source detection tools like Snort and ClamAV have rules and detections available for these threats.