Republished on July 25 with new ransomware intelligence following FBI warning.
If you use a Windows, it’s likely Chrome is installed as the default browser on your PC. Google’s browser still dominates, despite Microsoft’s continued attempts to push users to the Edge and the new threat from AI browsers which is picking up pace.
But Chrome is a victim of its own success. Because attackers know you likely have it installed, it’s the perfect access point to your PC and your data if they can find a way in. That’s why you see a procession of zero-day warnings and emergency updates. It’s also why the FBI is warning of the critical threat from fake Chrome updates.
So it is with the latest warning from FBI and CISA — America’s cyber defense agency — as part of the “ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.”
The latest advisory issued on Tuesday is aimed at the recent surge in Interlock ransomware attacks. And while most of the advice is for those responsible for securing corporate networks and enforcing IT polices, it carries a warning for PC users as well.
Ransomware attacks need a way in, so called “initial access.” And if you have a PC (or smartphone) connected to your employer’s network, that means you. The advisory also urges organizations to “train users to spot social engineering attempts.”
In the case of Interlock, two such methods of initial entry use the same lures as attackers are using to target your personal accounts and the data and security credentials on your own devices. You should be watching for these anyway.
One of the methods is ClickFix, which is easy to detect. This is where a message or popup instructs you to paste text into a Windows command and then execute that script. It’s done by faking a technical problem or a secure site or file you need to open. Any such instruction is always an attack and must be ignored.
But the primary method of initial entry flagged by the FBI is unofficial Chrome updates. “The fake Google Chrome browser executable functions as a remote access trojan (RAT) designed to execute a PowerShell script that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in.”
Fake Chrome installations and updates have become a recurring theme — on Windows PCs and also on Android smartphones. As with ClickFix, the advice is very clear. Do not access updates or fresh installations using links sent in emails or messages. Always download apps and updates from official stores or websites.
Remember that Chrome will automatically download updates and instruct you to restart your browser once that’s done to make sure it installs. You don’t need to hunt these down or follow arbitrary links, however those links are sent to you.
Using these tactics to compromise user devices and steal enterprise credentials is not the usual method of entry for ransomware. But Interlock is new and was first seen last year, so maybe it’s not surprising it’s using easy to deploy lures surging elsewhere.
Fortunately, avoiding those two traps is just as easy if you know what to look for. Meanwhile, you should update Chrome — the official way — as soon as possible, given Google’s latest set of high-severity fixes also issued on Tuesday.
In the wake of the FBI’s latest ransomware warning, there’s now some better news courtesy of NCC. “Ransomware attacks,” it says, “fell by almost half in Q2.” But even so, these attacks remain “on the front line of cyber warfare.”
NCC says that “despite a record-breaking start to the year, June was the fourth month in a row in which ransomware attacks dropped globally, declining by 6% with 371 cases. Q2 as a whole experienced a 43% decline from Q1 due to seasonal slowdowns such as Easter and Ramadan, and increased law enforcement disruption of key operators.”
It will be interesting to see whether the current SharePoint attacks exploiting unfixed Microsoft vulnerabilities shift those numbers over the coming weeks. As Microsoft has warned, “we have observed a China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities to deploy ransomware.”
Unlike the Chrome warning, which applies only to fake updates not the real browser, the SharePoint attacks do exploit genuine versions of the product. “With the rapid adoption of these exploits,” Microsoft says it “assesses with high confidence that threat actors will continue to integrate them into their attacks.”
NCC precipiently notes that “the decline created space for new threat actors to exploit global instability and, looking ahead to Q3, we can expect disrupted groups to return in collaboration with social engineering actors, conducting more advanced attacks.”
