Mozilla has issued a warning about malicious websites that are offering downloads of Thunderbird, following reports that a ransomware group has been using this method to distribute malware. Cybersecurity journalist Brian Krebs revealed that the Snatch ransomware group was leaking data, including visitor IPs and internal operation information, on a website where they name their victims.
The data suggests that the group has been disguising their malware as popular applications like Adobe Reader, Discord, Microsoft Teams, and Thunderbird through paid Google ads. In response to these findings, Mozilla has issued a ransomware alert, advising users to only download Thunderbird from trusted sources. However, taking down these malicious websites is challenging as they are hosted in Russia.
Despite having less than one percent market share in the email client category, Thunderbird still has a significant number of users who could be targeted by the Snatch ransomware. The US government has also issued an alert to critical infrastructure organizations about ongoing Snatch ransomware attacks.