Full Report
Cisco Talos has uncovered new threats, including ransomware like CyberLock and Lucky_Gh0$t, and a destructive malware called Numero, all disguised as legitimate AI tool installers to target victims.
Analysis Summary
# Tool/Technique: CyberLock Ransomware
## Overview
CyberLock is a newly discovered ransomware family developed primarily using PowerShell. It is being distributed by threat actors who disguise the malware as legitimate AI tool installers through deceptive websites and search engine manipulation. Its primary goal is to encrypt files on victim systems and demand ransom, falsely claiming the proceeds will fund humanitarian aid.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows (Implied by use of PowerShell and Windows DLLs like `kernel32.dll`, `user32.dll`)
- Capabilities: File encryption, use of PowerShell scripting for core functionality, loading from a .NET executable, hiding console windows, cryptographic file locking.
- First Seen: As early as February 2025.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Delivered via seemingly legitimate installer from a fake website)
- T1105 - Ingress Tool Transfer
- T1105.001 - File Transfer Protocol (Implied by loading resources)
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell (Core ransomware logic is written in PowerShell)
- T1027 - Obfuscated Files or Information
- T1027.001 - Plaintext File (The PowerShell script is embedded as an encrypted resource)
- T1548 - Abuse Elevation Control Structure
- T1548.002 - Bypass User Account Control (Capability noted: "elevate priv")
## Functionality
### Core Capabilities
- Executes via a multi-stage loading process starting with a .NET executable (`NovaLeadsAI.exe`).
- The PowerShell ransomware script is embedded as an encrypted resource within the loader.
- Hides the PowerShell console window upon execution using `GetConsoleWindow` (kernel32.dll) and `ShowWindow` (user32.dll).
- Generates an AES key and Initialization Vector (IV) by decrypting an embedded public key.
- Encrypts files on the victim system using AES encryption.
### Advanced Features
- Employs psychological manipulation in the ransom note, claiming payments support humanitarian causes (Palestine, Ukraine, Africa, Asia).
- Demands ransom ($50,000 USD) exclusively in Monero (XMR), split across two separate wallets to complicate tracking.
- The ransom note threatens data exposure if payment isn't made within three days, although no evidence of data exfiltration capability was observed in the code.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context, but associated IOCs are available in the linked GitHub repository]
- File Names: `NovaLeadsAI.exe` (Loader executable)
- Registry Keys: [Not specified]
- Network Indicators: `novaleadsai[.]com` (Fake website domain), `cyberspectreislocked@onionmail[.]org` (Ransom note contact email)
- Behavioral Indicators: Execution of PowerShell scripts that manipulate Windows GUI components (though this is specifically mentioned for the malware 'Numero', CyberLock relies on PowerShell file encryption). Hiding console windows upon script execution.
## Associated Threat Actors
- Undisclosed threat actor using psychological/humanitarian pretext for financial gain.
## Detection Methods
- Signature-based detection:
- Snort 2 SIDs: 64901, 64902, 64899, 64900, 64897, 64898, 64896
- Snort 3 SIDs: 301207, 301206, 301205
- ClamAV Detections: `Ps1.Ransomware.CyberLock-10045054-0`, `Win.Dropper.CyberLock-10045058-0`
- Behavioral detection: Monitoring for .NET executables dropping and launching obfuscated PowerShell scripts that utilize kernel/user DLL functions to manage console visibility.
- YARA rules: [Not explicitly provided in the context, but available via Cisco Talos feeds]
## Mitigation Strategies
- Verify sources meticulously and rely exclusively on reputable vendors for AI solutions downloads.
- Use Zero Trust principles like Cisco Secure Access to limit access regardless of user location.
- Deploy Secure Internet Gateways (like Cisco Umbrella) to block connections to known malicious domains (`novaleadsai[.]com`).
- Implement Cisco Secure Web Appliance to block access to potentially dangerous sites.
- Utilize Multi-Factor Authentication (Cisco Duo) to protect network access.
- Ensure EDR/AV solutions are updated with the latest signatures for known IOCs.
## Related Tools/Techniques
- Lucky_Gh0$t (Ransomware, variant of Yashma, 6th iteration of Chaos ransomware)
- Numero (Destructive malware)
- SEO-poisoning and social media platforms (Distribution techniques)
---
# Tool/Technique: Lucky\_Gh0$t Ransomware
## Overview
Lucky\_Gh0$t is identified as another variant of the Yashma ransomware, which itself belongs to the Chaos ransomware series (sixth iteration). It was discovered disguised as a legitimate AI tool installer. The variant reportedly features only minor modifications to its binary structure compared to previous iterations.
## Technical Details
- Type: Malware family (Ransomware variant)
- Platform: Unknown (Implied Windows due to context of other threats)
- Capabilities: File encryption (inherited from parent ransomware)
- First Seen: Current threat observation (May 2025)
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on its ransomware classification.*
- T1486 - Data Encrypted for Impact
## Functionality
### Core Capabilities
- Encrypts victim files for extortion.
### Advanced Features
- Minor modifications to the known ransomware binary structure.
## Indicators of Compromise
- File Hashes: [Not explicitly provided]
- File Names: [Not explicitly provided]
- Network Indicators: [Not explicitly provided]
- Behavioral Indicators: Sharing the distribution vector (masquerading as AI tool installers) with CyberLock.
- ClamAV Detections: `Win.Dropper.LuckyGhost-10045078-0`, `Win.Ransomware.LuckyGhost-10045080-0`
## Associated Threat Actors
- Undisclosed threat actors.
## Detection Methods
- Signature-based detection:
- ClamAV Detections: `Win.Dropper.LuckyGhost-10045078-0`, `Win.Ransomware.LuckyGhost-10045080-0`
## Mitigation Strategies
- Standard ransomware prevention focusing on source verification and endpoint protection.
## Related Tools/Techniques
- Chaos Ransomware (Parent family)
- Yashma Ransomware (Direct precursor)
---
# Tool/Technique: Numero Malware
## Overview
Numero is a newly discovered destructive malware that masquerades as a legitimate AI tool installer. Unlike ransomware, its primary destructive action targets the Graphical User Interface (GUI) components of the Windows Operating System, rendering affected systems completely unusable.
## Technical Details
- Type: Malware (Destructive)
- Platform: Windows OS
- Capabilities: Destruction of GUI components, rendering systems unusable.
- First Seen: Current threat observation (May 2025)
## MITRE ATT&CK Mapping
*Note: Specific TTPs are inferred based on destructive impact on the operating system.*
- T1485 - Data Destruction (Applied to OS functionality/interface rather than user files)
- T1089 - Impair Defenses (If GUI manipulation hinders user ability to interact with security tools)
## Functionality
### Core Capabilities
- Manipulates GUI components of the Windows OS.
- Aims for complete system unusability (destructive).
### Advanced Features
- Targeted GUI manipulation suggests deep knowledge of Windows shell/UI processes.
## Indicators of Compromise
- File Hashes: [Not explicitly provided]
- File Names: [Not explicitly provided]
- Network Indicators: [Not explicitly provided]
- Behavioral Indicators: Process modification that causes visible graphical failure or instability across Windows explorer/desktop components.
- ClamAV Detections: `Win.Loader.Numero-10045084-0`, `Win.Dropper.Numero-10045088-0`, `Win.Malware.Numero-10045090-0`, `Win.Malware.Numero-10045093-0`
## Associated Threat Actors
- Undisclosed threat actors.
## Detection Methods
- Signature-based detection:
- ClamAV Detections: `Win.Loader.Numero-10045084-0`, `Win.Dropper.Numero-10045088-0`, `Win.Malware.Numero-10045090-0`, `Win.Malware.Numero-10045093-0`
- Behavioral detection: Monitoring for unauthorized manipulation of critical Windows GUI elements or shell processes.
## Mitigation Strategies
- Strict application whitelisting, combined with endpoint detection focusing on unauthorized system component tampering.
## Related Tools/Techniques
- Other malware distributed via fraudulent AI installer themes.