The article discusses a recent campaign targeting individuals and organizations submerged by ransomware families, such as CyberLock ransomware and Lucky_Gh0$t ransomware, and a more destructive variant calledNumero. These threats aim to exploit the use of legitimate AI tools, particularly from popular platforms, to convey false information and download malicious binary files. The goal of these attacks is to decrypt specific keys, causing files to be lost or misused, and in some cases, открiveness.
The article highlights that legitimate AI tools, especially those applied in the business-to-business (B2B) sales domain and marketing sector, are preferred by threat actors implementing these campaigns. The threat perpetuates by mimicking修建ants like Novaleadsai, known for promoting lead monetization platforms such as NovaLeads. The website in question, novaleadsai[.]com, serves as a campaign tool to manipulate search engine optimization (SEO) by creating an artificial ” демо Windows Domain” on February 2, 2025, while promoting a ZIP archive of a .NET executable called NovaLeadsAI.exe. This binary was compiled in February 2025, and its execution led to the download of multiple ransomware binaries, such as CyberLock, Lucky_Gh0$t, andNumero. Each ransomware variant targeted specific file partitions, such as “C:,” “D:,” and “E:”, and manipulated graphical user interfaces (GUI) to degrade the victim’s machines.
The CyberLock ransomware, developed using PowerShell, was found to encrypt specific files on the victim’s system.-modules created by Yashma ransomware, which consists of files designed to mimic Microsoft ransomware, were also targeted. Lucky_Gh0$t ransomware, a variant of the Yashma family, was{}s found to target files up to 1.2GB in size but eluded to by a 0.49MB patch file containing-set of six extensions. Lucky_Gh0$t ransomware decided to drop a ransom note. The victim’s ransom note, included by the threat actor, offered a unique decryption ID and instructed victims to reach out via a session messaging app to complete a payment, ultimately attempting to obtain a decryptor for-round decryption of immense amounts of money, over $50,000 over three days.
The article also notes that the threat actor employed a different tactic. The “LoLBin” binary, with the “/w” option, was used to remove unused disk space from the victim’s entire_volume. This acted as a “situation” to prevent forensic recovery of deleted files.ither threat actor used the victim’s malicious installer toスタートz three separate binary types. For the malicious installer, a Windows batch file was run in an infinite loop, executing a malicious凶ine to offer a 12-hour business deadline.
The integration of legitimate AI tools into ransomware campaigns creates a mix of technical depth and real-world relevance, highlighting how these threats unite developers and security personnel. While CyberLock ransomwareapplys to non-AI applications, the campaign also involves legitimate AI tools used for breach detection, suggesting a shift in cybersecurity strategies. The threat differs further in its targeting, aiming primarily at Windows-based systems but also accessing AI ecosystems.
In summary, the campaign relies on the prevalence of legitimate AI tools targeting monetary irrigation and misweekday parameters. The threat actor manipulate境内 mimic substrates, such as “_ln.” and “rpt.” the winner of contesting scenes via their fake installers, creating a digital似乎是 ASML to restore order. The ransomware processes target legitimate information and malicious functionality, leading to the System Final (SF). For the毫米ni$, it’s overchangedDEF by the threat actor’s digital飙升.