Cybercriminals exploit AI hype to spread ransomware, malware

Threat actors linked to lesser-known ransomware and malware projects now use AI tools as lures to infect unsuspecting victims with malicious payloads.

This development follows a trend that has been growing since last year, starting with advanced threat actors using deepfake content generators to infect victims with malware.

These lures have become widely adopted by info-stealer malware operators and ransomware operations attempting to breach corporate networks.

Cisco Talos researchers have discovered that the same technique is now followed by smaller ransomware teams known as CyberLock, Lucky_Gh0$t, and a new malware named Numero.

The malicious payloads are promoted via SEO poisoning and malvertising to rank them high in search engine results for specific terms.

AI tool impersonation

CyberLock is PowerShell-based ransomware delivered through a fake AI tool website (novaleadsai[.]com) posing as the legitimate novaleads.app.

Malicious website delivering CyberLock ransomware
Source: Cisco Talos

Victims are lured by offers of a free 12-month subscription, leading them to download a .NET loader that deploys the ransomware.

Once executed on the victim's machine, CyberLock encrypts files across multiple disk partitions, appending the .cyberlock extension on locked files.

The ransom note demands a $50,000 ransom to be paid in the hard-to-trace Monero cryptocurrency, claiming that the funds will support humanitarian causes in Palestine, Ukraine, Africa, and Asia.

SentinelLabs blog used as wallpaper by CyberLock
Source: Cisco Talos

Lucky_Gh0$t is a new ransomware strain derived from Yashma, which itself is based on the Chaos ransomware.

Cisco analysts observed it being distributed as a fake ChatGPT installer ("ChatGPT 4.0 full version - Premium.exe") packaged in a self-extracting archive.

The package includes legitimate Microsoft open-source AI tools alongside the ransomware payload, likely to evade antivirus detection.

If executed, it encrypts files smaller than 1.2GB, appending random four-character extensions, while larger files are replaced with a same-size junk file and deleted.

Victims of Lucky_Gh0$t receive a personal ID and are instructed to contact the attacker through the secure messenger platform Session for ransom negotiations and decryption.

Lucky_Gh0$t ransom note
Source: Cisco Talos

Finally, a new malware called Numero masquerades as an InVideo AI installer but is designed to attack Windows systems.

The malware is delivered in a dropper containing a batch file, VB script, and an executable named wintitle.exe. 

It executes in an infinite loop, continuously corrupting the victim's graphical user interface by overwriting window titles, buttons, and content with the numeric string "1234567890."

Windows dialog following a Numero infection
Source: Cisco Talos

Although no data is destroyed or encrypted by Numero, the malware renders Windows systems it infects completely unusable. At the same time, the infinite loop it runs ensures the system is "locked" in this visually corrupted state.

As more cybercriminals attempt to take advantage of people's growing interest in AI tools, caution is advised with files downloaded from dubious websites.

It would be more prudent to stick to major AI projects instead of experimenting with new tools and source the installers from the official websites instead of following links from promoted results or social media posts.