![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![[DEALS] FileJump 2TB Cloud Storage: Lifetime Subscription (85% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
![Apple Shares Official Trailer for 'The Wild Ones' [Video]](https://www.iclarified.com/images/news/97515/97515/97515-640.jpg)
Ransomware hiding in fake AI, business tools
Ransomware has been discovered by security researchers in fake installers posing as Chat GPT, Nova Leads, and InVideo AI.
Artificial intelligence (AI) and small business tools are being abused as smokescreens to hit unsuspecting victims with ransomware.
In the masquerade campaigns discovered by Cisco Talos, cybercriminals hid malware behind software and install packages that mimicked the websites or names of the lead monetization service Nova Leads, the enormously popular Chat GPT, and an AI-empowered video tool called InVideo AI.
As small businesses quickly adopt AI tools—a recent survey from the US Chamber of Commerce and the strategy firm Teneo revealed that 98% of small businesses already use at least one AI-powered product and 40% use generative AI—these cybercriminal lures pose the next, big threat to sole proprietors and boutique shops.
According to the researchers at Cisco Talos, the threat is twofold.
“Unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Talos said. “This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”
In the first potential online attack, Talos found that cybercriminals created a fake website that closely resembled that of the legitimate company Nova Leads. The company helps businesses with lead monetization through acquisition, conversion, and content creation. But rather than simply copying the look and feel of Nova’s website, the cybercriminals also offered a completely fake, AI-powered product called “Nova Leads AI.”
On the malicious website, users were prompted to download Nova Leads AI for ”free access” for 12 months. If users downloaded and installed the fake software, the ransomware CyberLock was instead deployed. Researchers at Talos analyzed how CyberLock moved throughout a network and retrieved the ransom note left behind by the cybercriminals. In it, the ransomware gang claimed, falsely, that their attacks were altruistic.
“We want to assure you that your payment does not go to us,” the ransomware gang said in its note. “It will instead go to support affected women and children in Palestine, Ukraine, Africa, Asia, and other regions where injustices are a daily reality.”
In the note, victims are directed to pay $50,000 in cryptocurrency. The ransomware campaign is particularly dangerous as cybercriminals managed to manipulate SEO practices to rank their malicious website near the top of relevant online searches. This method, called “SEO poisoning,” is deployed by scammers, hackers, and shady websites.
In a second potential attack, Talos found that a software installer labeled “ChatGPT 4.0 full version – Premium.exe” was actually hiding the ransomware Lucky_Gh0$t. Interestingly, the files contained within the installer also contained legitimate open-source AI tools from Microsoft, likely as an evasion technique to ward off any antivirus tools inspecting the package for malware.
Though the Lucky_Gh0$t ransom note did not include a specific dollar amount, the cybercriminals displayed a starkly different attitude from CyberLock’s alleged humanitarianism:
“We are not a politically motivated group and we do not need anything other than your money.”
In the last potential attack, Talos found a new malware that the team dubbed “Numero.” Though it is not officially a form of ransomware, Talos found that, once deployed, it effectively renders systems “completely unusable.”
Talos discovered that the malware’s internal data co-opted the product and organizations names of the service InVideo AI, an AI-powered video generation service that can be used for marketing, content, and more.
While cybercriminals have long disguised their malware under popular brands, the emergence of AI—and its popularity for small businesses—highlight the dangers that small shops face simply for trying to do business online. But there is help at hand.
How to protect your small business from ransomware
As is true with all malware infections, the best defense to a ransomware attack is to never allow an attack to occur in the first place. Take on the following steps to secure your business from this existential threat:
- Block common forms of entry. Patch known vulnerabilities in internet-facing software and disable or harden the login credentials for remote work tools like RDP ports and VPNs.
- Prevent intrusions and stop malicious encryption. Stop threats early before they can infiltrate or infect your endpoints. Use always-on cybersecurity software that can prevent exploits and malware used to deliver ransomware.
- Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
- Don’t get attacked twice. Once you’ve isolated an outbreak and stopped a first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.
