Mozilla issued a warning this week over malicious websites offering Thunderbird downloads after a ransomware group was caught using this technique to deliver malware.
Cybersecurity journalist Brian Krebs reported last week that a website where the Snatch ransomware group names victims had been leaking data, including visitor IPs and information on internal operations.
According to Krebs, the leaked data suggests that the Snatch cybercrime group has been using paid Google ads to deliver its malware disguised as popular applications such as Adobe Reader, Discord, Microsoft Teams, and Mozilla Thunderbird.
Following Krebs’ findings, Mozilla issued a ‘ransomware alert’ this week, advising users to only download Thunderbird from trusted websites.
Mozilla noted that it’s actively trying to take down malicious websites offering Thunderbird, but they are hosted in Russia, which makes takedowns “difficult and often not effective”.
Thunderbird has a market share of less than one percent in the email client category. However, that still translates to a significant number of individuals and organizations, which could be targeted by the Snatch ransomware.
The US government issued an alert recently, warning critical infrastructure organizations of ongoing Snatch ransomware attacks.