Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

CyberLock

CyberLock is a Windows ransomware family reported by Cisco Talos in campaigns that masqueraded as legitimate AI tool installers. It was distributed via SEO poisoning and a fake NovaLeads AI website at novaleadsai[.]com impersonating the legitimate novaleads.app service, with activity observed as early as February 2025. The lure targeted users and organizations seeking AI solutions, with Talos specifically noting elevated risk to businesses in B2B sales, technology, and marketing sectors.

In the observed infection chain, victims downloaded a ZIP archive containing a .NET executable named NovaLeadsAI.exe, compiled on February 2, 2025. That executable functioned as a loader for an embedded CyberLock PowerShell ransomware script. CyberLock is written in PowerShell with embedded C# code, hides its console window using GetConsoleWindow and ShowWindow, and can elevate privileges and re-execute itself with administrative rights.

Once executed, CyberLock enumerates files on the C:, D:, and E:\ logical partitions and encrypts targeted files with AES. It appends the .cyberlock extension to encrypted files. Talos reported that it targets a broad range of file types, including documents, spreadsheets, presentations, PDFs, images, audio, video, archives, executables, source code, databases, configuration files, fonts, design files, backups, GIS files, and other data files. It drops a ransom note named ReadMeNow.txt on the victim desktop and changes the desktop wallpaper by downloading an image and setting the Wallpaper registry key.

CyberLock also uses the Windows LOLBin cipher.exe with the /w option to wipe free space on hard drive partitions, hindering forensic recovery. The ransom note instructed victims to contact cyberspectreislocked@onionmail[.]org and demanded $50,000 payable in Monero (XMR). The note claimed the funds would support humanitarian aid and threatened to expose stolen data within three days, but Talos found no evidence in the ransomware code of data exfiltration capability.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1608.006SEO PoisoningEvidence1

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers, including SEO-poisoning tactics to manipulate search engine rankings and cause their malicious websites or download links to appear at the top of search engine results.

Initial Access

1 technique
T1566.002Spearphishing LinkEvidence2

Threat actors are employing a variety of techniques and channels to distribute these fraudulent installers... as well as platforms such as Telegram or social media messengers.

Execution

2 techniques
T1059.001PowerShellEvidence2

CyberLock ransomware is written in PowerShell, embedded with the CSharp code and delivered to the victims as an embedded resource of the .NET loader.

T1204.002Malicious FileEvidence1

Fake "ChatGPT 4.0 Premium" installer Lucky_Gh0$t ransomware Windows Telegram/social distribution.

Persistence

1 technique
T1112Modify RegistryEvidence1

They then configure the registry key “Wallpaper” to the path of the downloaded image and enable the wallpaper through PowerShell commands.

Privilege Escalation

1 technique
T1548Abuse Elevation Control MechanismEvidence1

CyberLock has the capability to elevate privileges and re-execute itself with administrative privileges if it is not already running in an elevated context.

Stealth

4 techniques
T1027.009Embedded PayloadsEvidence1

The ‘NovaLeadsAI.exe’ file is the loader that has the CyberLock ransomware PowerShell script embedded as the resource file.

T1036MasqueradingEvidence2

Cisco Talos has discovered new threats, including the ransomware CyberLock, Lucky_Gh0$t, and a newly-discovered malware we call “Numero,” all of which masquerade as legitimate AI tool installers.

T1070.004File DeletionEvidence1

Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim's hard drive partitions, hindering forensic recovery of deleted files.

T1218System Binary Proxy ExecutionEvidence1

Finally, CyberLock uses the living-off-the-land binary (LoLBin) ‘cipher.exe’ with the ‘/w’ option to erase free space on the victim's hard drive partitions...

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

They then configure the registry key “Wallpaper” to the path of the downloaded image and enable the wallpaper through PowerShell commands.

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1

CyberLocker enumerates folders and files of the logical partitions with the labels ‘C:\’, ‘D:\’ and ‘E:\’.

Collection

1 technique
T1560Archive Collected DataEvidence1

When a user downloads the fake AI product as a ZIP archive, it contains a .NET executable with the file name ‘NovaLeadsAI.exe’.

Impact

2 techniques
T1486Data Encrypted for ImpactEvidence1

It encrypts the targeted files using AES and appends the file extension ‘.cyberlock’ to the encrypted files.

T1491.001Internal DefacementEvidence1

Talos observed that the ransomware actor sets a wallpaper to the victim machine’s desktop after dropping the ransom note.

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 year ago
email●●●●●●●●●●●●View more in app1 year ago
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
pillarNews
Mar 10, 2026
AI Coding Tools Under Fire: Mapping the Malvertising Campaigns Targeting the Vibe Coding Ecosystem

Windows ransomware delivered through a fake NovaLeads AI site; described as PowerShell-based and demanding a $50K Monero ransom.

Read more
cloudatg insightsNews
Feb 13, 2026
AI Development & Software Engineering | CloudATG

PowerShell-developed ransomware family distributed via fake AI tool installers; encrypts selected files on victim systems.

Read more
talosintelligence otherNews
May 29, 2025
Cybercriminals camouflaging threats as AI tool installers

PowerShell-based ransomware delivered via a .NET loader masquerading as an AI tool installer. It encrypts files with AES, appends the .cyberlock extension, drops a ransom note, changes the desktop wallpaper, and uses cipher.exe /w to wipe free space and hinder forensic recovery.

Read more
cert eu threat intelNews
Jan 7, 2025
Cyber Brief 25-07 - June 2025

Ransomware distributed via fake AI tool installers, encrypting files and demanding payment from victims.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.