In a recent report, Microsoft has warned of a ransomware group that is spreading malicious files through Google Ads, in conjunction with more traditional methods such as phishing emails.
The threat actor uses these adverts to point the victim to download links which appear to be legitimate files, but instead are harboring harmful software.
Ransomware has been on the rise in recent years, but with the right security protections in place, and solid education, your business can reduce the chance of being affected.
New Ransomware Threat
Microsoft research has shown that a threat actor, dubbed as DEV-0569 by the company, has been inserting dangerous malware into Google Ads, in an attempt to trick users into downloading malicious files, believing them to be genuine software.
Between August and October 2022, Microsoft researchers observed activity where links in Google ads, as well as phishing emails and blog posts, directed users to software downloads such as Adobe, Team Viewer, Zoom and others. Instead of the legitimate software, users would download ransomware, which would then attack the users' systems.
Microsoft has confirmed that all identified instance of Google ads being used as a distribution system have been reported to Google.
Microsoft has identified that in some instances, Royal ransomware is being distributed. Royal is a ransomware group that has been active since the beginning of 2022, and Microsoft believe that the organisation is using DEV-0569 as an entry point, pointing to the group being part of the recent trend of ransomware as a service. In these scenarios, group A facilitates the exploit for group B, while taking a cut from successful ransom payments.
Protecting Against Malvertising
Using adverts to infiltrate systems in this way, known as ‘malvertising', may be new to many users, who are likely much more familiar with more traditional practices such as phishing emails.
Microsoft has put together some advice on how to protect against malvertising:
- Use a web browser that supports SmartScreen, to identify and block malicious websites
- Educate users in the organisation on social engineering and how to recognise the warning signs of malware.
- Use the ‘attack training simulation' that is part of Office 365 for training
- Avoid using domain-wide, admin-level service accounts
- Turn on automatic sample submission on your anti-virus platform, so that new malware can be quickly identified
Ransomware on the Rise
Ransomware can be tricky to protect against, with threat actors always trying to stay one step ahead and constantly creating new ways to deliver their malicious payload in the hope of ensnaring more victims.
With many of working from home more than ever, hackers are finding that there are more potential points of entry than ever before. Last year, ransomware was estimated to cost around $1.2 billion, quadrupling from the year previous – and that's just the cases we know about. Many cases go unreported, with victims quietly paying the ransomware in the hope of getting their data back.
The good news is that action is being taken. The White House recently hosted a ransomware summit with 36 countries, in the hope of creating a taskforce to disrupt ransomware and develop a network of threat sharing, in an attempt to stay one step ahead.
One of the best defences is education. Train staff to recognise the threats, and adopt best security practice, whether they're in the office or working remotely. Tools such as anti-virus software, and password managers, may also be considered essential, too.