Skip to content

Fake AI software installers are spreading ransomware

  • by
  • 3 min read

Illustration: JMiks | Shutterstock

Security researchers have caught cybercriminals impersonating legitimate AI software to distribute ransomware to unsuspecting users. The campaign was also observed delivering infostealers, backdoors, Remote Access Tools (RATs), and other destructive malware.

The ransomware variants being distributed include CyberLock, Lucky_Gh0$t, and a novel variant called Numero, which targets Windows machines. Researchers at Cisco Talos discovered three different campaigns, impersonating legitimate websites with domain names varying from actual AI companies by a few letters. Google’s Mandiant also recently discovered a similar campaign where Vietnamese hackers were impersonating AI-based content generation websites to deliver malware, using social media ads to further their reach.

CyberLock ransomware is an emerging ransomware strain that’s being distributed via a fake NovaLeadsAI website. The fake website persuades users to download the AI tool, offering free access for the first year. Once the downloaded ZIP archive is extracted and run, the .NET executable within, called “NovaLeadsAI.exe,” runs an embedded PowerShell script that deploys the ransomware.

This is an image of cyberlock ransom note
CyberLock ransomware ransom note. | Source: Cisco Talos

Threat actors behind CyberLock then demand $50,000 in ransom to be paid in Monero (XMR) cryptocurrency. The ransom note also employs psychological tactics, claiming that the ransom will be paid for “humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia.” Talos reports that the received ransom is split into two separate crypto wallets, making tracking funds difficult.

Lucky_Gh0$t is being distributed via fake ChatGPT installers, claiming to provided “premium” access to the popular AI chatbot from OpenAI. The malicious executable included in the download impersonates dwm.exe, a legitimate Windows process.

The ransomware targets any file less than 1.2GB in size and encrypts it with RSA-encrypted AES keys. The ransom note clearly states that the group doesn’t want anything other than your money and provides a session ID for the victims to reach out to so the ransom amount can be negotiated.

The novel Numero ransomware is spread by a fake recreation of the popular AI video creation tool called InVideo AI. The installer contains a malicious Windows batch file, VB script, and a 32-bit C++ executable, all within a single executable named “wintitle.exe.” Numero monitors the Windows user interface and replaces the window title, buttons, and contents with the string “1234567890”, essentially making the machine unusable.

In the News: ASUS routers hacked in mass backdoor campaign

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

Related Reads

This is an image of dark web hacker security

Russian pro basketball player arrested on ransomware charges

This is an image of tik tok 39239

Ireland launches fresh investigation into TikTok over data transfer to Chinese servers

Illustration: jmiks | shutterstock

British NCA arrest four for hacking M&S, Co-op, and Harrods

A mcdonald's sign on a pole.

McDonald’s AI bot leaks job applicants’ data

This is an image of dprk north korea flag

US sanctions North Korean hacker for running fraud IT worker scheme

This is an image of ransomware 32988sd

M&S confirms April cyberattack was ransomware

>