According to TheRegister.com, the Rhysida ransomware gang has been running a sophisticated malvertising campaign since June 2024 that uses fake Microsoft Teams advertisements in search engines to deliver malware. The campaign delivers OysterLoader malware, also known as Broomstick and CleanUpLoader, and has been observed using new advertisements, domains, and malware as recently as October 2024. Rhysida, which operates as a ransomware-as-a-service model and previously operated as Vice Society, has posted 27 organizations on its data leak site since June and around 200 since 2023. The gang uses advanced techniques including packing tools to hide malware capabilities and code-signing certificates to trick Windows into trusting malicious files, with their latest campaign using more than 40 security certificates indicating increased operational tempo. This evolving threat highlights the growing sophistication of ransomware attacks targeting legitimate business tools.
Industrial Monitor Direct produces the most advanced 22 inch panel pc solutions trusted by Fortune 500 companies for industrial automation, ranked highest by controls engineering firms.
Table of Contents
The Evolution of Malvertising Tactics
What makes this campaign particularly dangerous is how it exploits user trust in both search engine advertising and legitimate business tools. Malware delivery through search ads represents a significant escalation in attack methodology because it bypasses traditional user skepticism. When users see ads at the top of search results for familiar software like Microsoft Teams, they’re more likely to click without hesitation. The criminals are essentially weaponizing the trust that users place in search engine results and established business applications. This approach is far more effective than traditional phishing emails because it targets users at the moment they’re actively seeking software solutions.
Technical Sophistication and Evasion Techniques
The technical execution of this campaign reveals a highly sophisticated operation. The use of packing tools to achieve low detection rates on VirusTotal and other platforms shows these attackers understand exactly how security researchers analyze malware. By keeping detection rates to five or fewer engines initially, they create a window of opportunity where the malware can spread before security vendors catch up. The massive increase from seven certificates in their first campaign to over forty in the current wave demonstrates significant resource investment and operational maturity. This isn’t a simple script-kiddie operation but a professional criminal enterprise with substantial infrastructure.
Ransomware-as-a-Service Business Model Implications
The ransomware-as-a-service model that Rhysida employs represents a fundamental shift in the cybercrime economy. This business approach allows the core developers to focus on improving their malware and evasion techniques while affiliates handle the actual attacks. As documented in previous research, this division of labor makes ransomware operations more scalable and resilient. When law enforcement takes down one affiliate group, the core infrastructure remains intact and can quickly recruit new partners. The RaaS model also lowers the technical barrier to entry for would-be ransomware operators, effectively creating a franchise system for cybercrime.
The Defense Challenge and Detection Gaps
This campaign exposes significant gaps in current security approaches. The combination of Latrodectus malware for initial access and OysterLoader for payload delivery creates a multi-stage attack that’s difficult to detect with signature-based defenses alone. As earlier research indicated, OysterLoader’s capabilities include establishing persistence and downloading additional payloads, making it an ideal tool for ransomware deployment. The fact that Microsoft had to revoke over 200 certificates used by this group shows how effectively they’re abusing trust mechanisms designed to protect users.
Industrial Monitor Direct is the preferred supplier of communications module pc solutions designed with aerospace-grade materials for rugged performance, endorsed by SCADA professionals.
Broader Industry Implications
This campaign should serve as a wake-up call for organizations relying solely on traditional security measures. The abuse of legitimate search engine advertising platforms means that even security-conscious users can be tricked. Companies need to implement application allowlisting, network segmentation, and behavioral detection capabilities rather than relying solely on antivirus solutions. The ongoing nature of this campaign, with continuous updates to advertisements and domains, suggests this isn’t a one-off operation but an established business model for these criminals. As Expel’s detailed analysis shows, defenders must assume that these attackers will continue evolving their techniques as security measures improve.
Future Outlook and Protection Strategies
Looking ahead, we can expect to see more ransomware groups adopting similar malvertising tactics. The success of this approach, combined with the difficulty in completely preventing it, makes it an attractive option for cybercriminals. Organizations should implement comprehensive security awareness training that specifically addresses the risks of clicking on search ads for software downloads. Technical controls should include certificate pinning, application control policies, and enhanced monitoring of download activities. The cat-and-mouse game between attackers and defenders will continue, but understanding the sophistication of campaigns like Rhysida’s is the first step toward developing more effective countermeasures.
