Rhysida Ransomware Spreads Through Abused Bing Ads

Nov 06, 2025UncategorizedComments (0)

The line between legitimate online activity and malicious attacks is becoming increasingly blurred. Cybercriminals are constantly finding new ways to exploit trusted platforms to deceive unsuspecting users. A recent campaign by the Rhysida ransomware group highlights this trend, leveraging phishing sites and abused Bing search ads to spread their malware.

This campaign is a significant development in ransomware attack news. It demonstrates a sophisticated method of distribution that relies on the credibility of major advertising platforms to lure victims. By understanding the mechanics of this attack, businesses and individuals can better protect themselves from similar threats.

This post will break down how the Rhysida group executes these attacks, the tools they use, and the steps you can take to avoid becoming their next victim. Staying informed about these evolving phishing attack news and tactics is the first step toward building a stronger defense.

What is Rhysida Ransomware?

First identified in May 2023, Rhysida is a ransomware-as-a-service (RaaS) operation that has quickly gained notoriety for targeting organizations across various sectors, including education, healthcare, manufacturing, and government. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued alerts about the group, highlighting the significant threat they pose.

Like many ransomware attack news groups, Rhysida operates on a double-extortion model. They not only encrypt the victim's files, making them inaccessible, but also steal sensitive data before encryption. The attackers then threaten to release this stolen data publicly on their data leak site if the ransom is not paid. This adds immense pressure on victims to comply with their demands. The group's name, which is derived from a type of large centipede, reflects their aggressive and predatory nature.

How the Bing Ads Attack Works?

The latest campaign from the Rhysida group shows a concerning level of sophistication. Instead of relying solely on traditional email phishing, they have co-opted a legitimate advertising network to reach a wider audience. This tactic is particularly dangerous because search engine ads are often trusted by users looking for specific software or tools.

Step 1: The Lure with Bing Ads

The attack begins with malicious ads displayed on Microsoft's Bing search engine. Cybercriminals create ads that appear to link to legitimate software downloads, such as document viewers or VPN installers. For example, a user searching for "Soda PDF" or "ProtonVPN" might see an ad at the top of the search results that looks authentic. These ads are crafted to mimic the branding and messaging of the real software companies.

When a user clicks on one of these ads, they are not taken to the official website. Instead, they are redirected through a series of domains to a phishing website controlled by the attackers.

Step 2: The Phishing Website

The phishing sites are designed to be convincing replicas of the legitimate software pages. They feature the correct logos, color schemes, and layouts, making it difficult for the average user to spot the deception. The primary call-to-action on these sites is a "Download" button.

Clicking this button initiates the download of a malicious installer. The file often has a name that matches the software the user was searching for, further concealing its true nature. These installers are the carriers for the Rhysida ransomware.

Step 3: Malware Execution and Payload Delivery

Once the user runs the downloaded installer, the attack chain is set in motion. The installer is typically a signed binary, which can sometimes help it evade initial security checks. It then uses a technique known as DLL side-loading to execute the malicious code.

The installer deploys a legitimate application along with a malicious dynamic-link library (DLL) file in the same directory. When the legitimate application runs, it inadvertently loads the malicious DLL, which contains the next stage of the attack. This payload is often an open-source backdoor, such as backdoor.c, which establishes a command-and-control (C2) connection with the attackers' servers.

Step 4: Gaining Control and Deploying Ransomware

With the backdoor installed, the attackers gain remote access to the compromised system. They can then perform reconnaissance, escalate privileges, and move laterally across the network to identify valuable data.

Once they have established a strong foothold, the final payload—the Rhysida ransomware—is deployed. The ransomware encrypts files on the compromised machine and any connected network shares. A ransom note is then left on the system, instructing the victim on how to pay the ransom to receive a decryption key and prevent their data from being leaked.

How to Protect Yourself?

This type of phishing attack news can be alarming, but there are concrete steps you can take to defend against it. Protection requires a combination of user vigilance and robust security measures.

  • Be Skeptical of Ads: Treat search engine ads with caution, even if they appear at the top of the results. Instead of clicking the ad, navigate directly to the official website by typing the URL into your browser or using a bookmark.

  • Verify Website URLs: Before downloading any software, carefully inspect the website's URL. Look for subtle misspellings or unusual domain extensions. Secure websites will use HTTPS, but this is not a guarantee of legitimacy, as many phishing attack sites now use it too.

  • Use Ad Blockers: Employing a reputable ad blocker can prevent malicious ads from being displayed in the first place, reducing the risk of accidental clicks.

  • Enable Multi-Factor Authentication (MFA): MFA adds a critical layer of security that can prevent unauthorized access to your accounts, even if your credentials are stolen.

  • Keep Software Updated: Regularly update your operating system, web browser, and security software to ensure you are protected against the latest known vulnerabilities.

  • Implement Endpoint Security: Use a comprehensive endpoint detection and response (EDR) solution that can detect and block malicious activity, such as unusual file executions or C2 communications.

Your First Line of Defense

The Rhysida ransomware campaign abusing Bing Ads is a stark reminder that cybercriminals are constantly evolving their tactics. By exploiting trusted platforms, they can bypass traditional defenses and reach users who might otherwise be cautious. This latest ransomware attack news underscores the importance of a multi-layered security approach and continuous user education.

Staying informed about threats like these is crucial for both individuals and organizations. By being vigilant about the links you click and implementing strong security practices, you can significantly reduce your risk of falling victim to a ransomware attack. Awareness is your first and most powerful line of defense in the ongoing fight against cybercrime.