Ransomware pollinates Google Ads with Bumblebee malware

Employers are being told to warn their staff looking to download software such as Zoom, ChatGPT, and Citrix Workspace to be careful of clicking on fake download links that could spread ransomware.

This is due to a rise in “Bumblebee” malware across various online ads, including Google ads and fake download pages, according to cyber security firm Secureworks.

The malware, which was first discovered in March 2022, is often distributed via phishing attacks to deliver ransomware to enterprises, the firm has warned.

Secureworks director of intelligence Mike Mclellan warned remote workers against going online to install software rather than going through official work channels.

“Research shows that as many as one in every 100 adverts online contains malicious content,” he said.

“As people look for new tech or want to get involved with the hype around new tech like ChatGPT, Google is the place to go to find it. Malicious ads returned in search results are incredibly hard to spot, even for someone with deep technical knowledge.”

In one case, Secureworks witnessed a user follow a fake Google Ad download – a legitimate Cisco AnyConnect VPN installer – which has been modified to contain the Bumblebee malware.

According to the cyber firm, within hours, a threat actors accessed their system and attempted to deploy ransomware. “Fortunately, network defenders detected and stopped them before thy were able to do so,” said McLellan.

According to the cyber expert the shift from phishing to Google Ads is not surprising.

“Adversaries follow the money and the easy route to success, and if this proves to be a better way of getting access to corporate networks then they will absolutely exploit it.

“What it does highlight is the importance of having strict policies in place for restricting access to web ads as well as managing privileges on software downloads, as employees should not have privileges to install software on their work computers,” concluded McLellan

The cyber firm advised organisations to protect their companies by implementing restrictions and controls which limit users’ ability to click on Google Ads.

It added that organisations should also make sure that software installers and updates are only downloaded from trusted and verified websites.

Advice from top cyber experts on how to mitigate a ransomware attack in your firm can be found in TI’s ransomware report.