If you use a Windows, it’s likely Chrome is installed as the default browser on your PC. Google’s browser still dominates, despite Microsoft’s continued attempts to push users to the Edge and the new threat from AI browsers which is picking up pace.
But Chrome is a victim of its own success. Because attackers know you likely have it installed, it’s the perfect access point to your PC and your data if they can find a way in. That’s why you see a procession of zero-day warnings and emergency updates. It’s also why the FBI is warning of the critical threat from fake Chrome updates.
So it is with the latest warning from FBI and CISA — America’s cyber defense agency — as part of the “ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors.”
The latest advisory issued on Tuesday is aimed at the recent surge in Interlock ransomware attacks. And while most of the advice is for those responsible for securing corporate networks and enforcing IT polices, it carries a warning for PC users as well.
Ransomware attacks need a way in, so called “initial access.” And if you have a PC (or smartphone) connected to your employer’s network, that means you. The advisory also urges organizations to “train users to spot social engineering attempts.”
In the case of Interlock, two such methods of initial entry use the same lures as attackers are using to target your personal accounts and the data and security credentials on your own devices. You should be watching for these anyway.
One of the methods is ClickFix, which is easy to detect. This is where a message or popup instructs you to paste text into a Windows command and then execute that script. It’s done by faking a technical problem or a secure site or file you need to open. Any such instruction is always an attack and must be ignored.
But the primary method of initial entry flagged by the FBI is unofficial Chrome updates. “The fake Google Chrome browser executable functions as a remote access trojan (RAT) designed to execute a PowerShell script that drops a file into the Windows Startup folder. From there, the file is designed to run the RAT every time the victim logs in.”
Fake Chrome installations and updates have become a recurring theme — on Windows PCs and also on Android smartphones. As with ClickFix, the advice is very clear. Do not access updates or fresh installations using links sent in emails or messages. Always download apps and updates from official stores or websites.
Remember that Chrome will automatically download updates and instruct you to restart your browser once that’s done to make sure it installs. You don’t need to hunt these down or follow arbitrary links, however those links are sent to you.
Using these tactics to compromise user devices and steal enterprise credentials is not the usual method of entry for ransomware. But Interlock is new and was first seen last year, so maybe it’s not surprising it’s using easy to deploy lures surging elsewhere.
Fortunately, avoiding those two traps is just as easy if you know what to look for. Meanwhile, you should update Chrome — the official way — as soon as possible, given Google’s latest set of high-severity fixes also issued on Tuesday.