Cybercriminals Are Using Fake AI Tools to Spread Malware

The massive excitement around Artificial Intelligence (AI) tools has become a goldmine for cybercriminals. They’re heavily using this buzz to trick people into downloading dangerous ransomware and malware. This isn’t just a tactic for highly advanced hackers anymore; even smaller, lesser-known groups are now effectively using this strategy.

These malicious actors, including ransomware gangs like CyberLock and Lucky_Gh0$t, along with a new malware strain called Numero, are creating deceptive fake websites and installers for popular AI tools. To get their harmful software seen, they use clever tricks like SEO poisoning (manipulating search results so their fake sites appear at the top for specific AI-related searches) and malvertising (using malicious online advertisements).

Here are some specific examples of these fake AI threats:

Lucky_Gh0$t ransom note
Source: Cisco Talos
  • CyberLock Ransomware: This threat is distributed via fake AI tool websites, such as “novaleadsai[.]com,” which impersonates legitimate services. Victims are often enticed by offers like a “free 12-month subscription.” If you fall for this and download the malicious file, CyberLock will encrypt files across your computer’s disk partitions, appending a “.cyberlock” extension. The ransom note then demands a $50,000 ransom, payable in the hard-to-trace Monero cryptocurrency. Interestingly, the criminals claim these funds will support humanitarian causes.
  • Lucky_Gh0$t Ransomware: This is a newer type of ransomware, derived from the Yashma strain (which is based on Chaos ransomware). Cisco analysts observed it being spread as a fake “ChatGPT 4.0 full version – Premium.exe” installer. What makes this particularly tricky is that the malicious package often includes legitimate Microsoft open-source AI tools alongside the ransomware payload. This tactic likely helps it evade detection by antivirus software. Once executed, Lucky_Gh0$t encrypts files smaller than 1.2GB (appending random four-character extensions) and deletes larger files by replacing them with junk data. Victims receive a personal ID and are instructed to contact the attackers via the secure messaging platform Session for ransom negotiations and decryption.
  • Numero Malware: This is a distinct and particularly disruptive new malware that masquerades as an “InVideo AI installer.” Unlike ransomware, Numero doesn’t destroy or encrypt your data. Instead, it’s designed to completely render your Windows system unusable. It achieves this by executing in an infinite loop, continuously corrupting your graphical user interface (GUI). It overwrites elements like window titles, buttons, and all content with the numeric string “1234567890.” This effectively locks your computer in a visually corrupted and non-functional state.
Windows dialog following a Numero infection
Source: Cisco Talos

As more criminals try to capitalize on the growing public interest in AI, it’s absolutely crucial to be extremely cautious about what you download. Always prioritize getting your AI software directly from official websites of major, reputable AI projects. Avoid clicking on suspicious links that appear in promoted search results, social media posts, or any questionable websites. Sticking to well-known and verified sources is your best defense against these emerging threats.

Ref : https://www.bleepingcomputer.com/news/security/cybercriminals-exploit-ai-hype-to-spread-ransomware-malware/

Related documents

Who to contact