HomeRisk ManagementsALPHV/BlackCat Ransomware Gang Targets Businesses Through Google Ads

ALPHV/BlackCat Ransomware Gang Targets Businesses Through Google Ads

Published on

spot_img

The notorious ALPHV/BlackCat ransomware has been found to be using Google Ads as a method of distributing malware. According to eSentire’s Threat Response Unit (TRU), the gang behind the $100m MGM Resorts breach and the leaking of sensitive images of breast cancer patients has now expanded its attack methods to include malvertising.

The security firm intercepted and thwarted attempts by ALPHV/BlackCat affiliates to breach a law firm, a manufacturer, and a warehouse provider within the past three weeks. The group is part of a cybercrime economy with specialized roles, evolving from experienced ransomware operators like REvil, DarkSide, and BlackMatter, with affiliates supporting ALPHV/BlackCat including FIN7, UNC2565, and Scattered Spider.

The new tactic observed by eSentire involves using Google Ads to promote popular software like Advanced IP Scanner and Slack, leading business professionals to attacker-controlled websites. These professionals, believing they are downloading legitimate software, unknowingly install the Nitrogen malware, which serves as initial-access malware. This provides intruders with a foothold in the target organization’s IT environment, allowing the hackers to infect the victim with ALPHV/BlackCat ransomware.

Understanding the severity of the situation, Keegan Keplinger, a senior threat intelligence researcher with TRU, explained that the Nitrogen malware leverages obfuscated Python libraries that compile to Windows executables. These libraries, which are useful for legitimate use cases such as optimizing Python code, are being used to develop malicious malware loaders that can load intrusion tools directly into memory. This indicates a concerning trend in the rise of browser-based cyber-threats, where users unknowingly download malware while browsing.

To address this growing threat, Keplinger emphasized the need for user awareness training to extend beyond email attachments and encompass the risk of browser-based downloads. In response to the eSentire advisory, organizations are recommended to focus on endpoint monitoring, capture and monitor logs for systems not supporting endpoint monitoring, and implement attack surface reduction rules to mitigate browser-based attacks.

The criminal origins of the ALPHV/BlackCat group, along with its connections to former ransomware groups and recent high-profile attacks on MGM Resorts, McClaren Health Care, Clarion, and Motel One, further emphasize the urgency for enhanced cybersecurity measures. This highlights the importance of organizations being proactive in implementing robust cybersecurity measures to protect against the evolving tactics of cybercriminals.

In conclusion, the use of Google Ads by the ALPHV/BlackCat ransomware group to distribute malware serves as a reminder of the ever-evolving nature of cyber threats and the need for organizations to continually adapt and enhance their cybersecurity measures to stay ahead of malicious actors.

Source link

Latest articles

CISA RRAP Launched to Enhance Infrastructure Security

The Regional Resiliency Assessment Program (RRAP), a collaborative effort between the Cybersecurity and Infrastructure...

Law enforcement action disrupts LockBit ransomware operation. Health care cyberattack disrupts prescription processing.

Operation Cronos, a law enforcement initiative, has successfully disrupted the activities of the LockBit...

Russian Ministry Software Infected with North Korean KONNI Malware

A recent cybersecurity revelation has shed light on the KONNI malware, a tool associated...

Infiniti USA Cyberattack Reveals New Mogilevich Ransomware

Infiniti USA, the luxury vehicle division of Nissan, found itself at the center of...

More like this

CISA RRAP Launched to Enhance Infrastructure Security

The Regional Resiliency Assessment Program (RRAP), a collaborative effort between the Cybersecurity and Infrastructure...

Law enforcement action disrupts LockBit ransomware operation. Health care cyberattack disrupts prescription processing.

Operation Cronos, a law enforcement initiative, has successfully disrupted the activities of the LockBit...

Russian Ministry Software Infected with North Korean KONNI Malware

A recent cybersecurity revelation has shed light on the KONNI malware, a tool associated...
en_USEnglish