Researchers have confirmed that the BlackCat ransomware gang is responsible for a string of Google search ads that used major brands as lures to distribute ransomware over past three weeks. Targeted are businesses and public entities.
BlackCat is part of a cybercrime economy with specialized roles, evolving from experienced ransomware operators like REvil, DarkSide and BlackMatter. Affiliates supporting BlackCat include FIN7, UNC2565 and Scattered Spider.
As per the researchers, the ads placed purported to be legitimate offers for software tools. However, the ads linked to malicious sites that enticed victims to download a Python-based malware payload that opens access for further infection.
The attacks targeted a law firm, a manufacturer and a warehouse provider and were detected and intercepted.
The new tactic that was observed involves using Google Ads promoting popular software like Advanced IP Scanner and Slack, leading business professionals to attacker-controlled websites.
These professionals, thinking they are downloading legitimate software, unwittingly install the Nitrogen malware. Nitrogen serves as initial-access malware providing intruders with a foothold in the target organization’s IT environment. Once established, the hackers infect the victim with BlackCat ransomware.
Researchers added that the rise of browser-based cyber-threats, where users unknowingly download malware while browsing, has become a concerning trend.
It is recommended that the organizations focus on endpoint monitoring, capture and monitor logs for systems not supporting endpoint monitoring and implement attack surface reduction rules to mitigate browser-based attacks.
The BlackCat group’s criminal origins, connections to former ransomware groups and their recent high-profile attacks on MGM Resorts, McClaren Health Care, Clarion and Motel One further emphasize the urgency for enhanced cybersecurity measures.