Hackers bought Google ads to display fake website links at the top of search results, allowing the download of Putty and WinSCP utilities containing malicious code. These are popular Windows software for administrators.

These ads use domain names with typos such as puutty.org, puutty[.]org, wnscp[.]net and vvinscp[.]net for the fake website, while PuTTY's official website is https ://www.chiark.greenend.org.uk/~sgtatham/putty/ and WinSCP's is winscp.net.

When the user clicks on the fake link, a zip file is downloaded to the computer and launched, this file will download and run the legitimate Putty WinSCP software to deceive the user, but it also silently downloads and executes the virus. to take control of the computer and encrypt all data.

System administrators have elevated privileges on Windows networks, making them valuable targets for hackers to spread viruses, steal data, take control, and execute data-encrypting malware.

Along with that, search engine advertising has also often become a springboard for hacker attacks in recent years. A series of popular applications have been exploited to spread virus-containing websites such as Keepass, CPU-Z, Notepad++, Grammarly, MSI Afterburner, Slack, Dashlane, 7-Zip, CCleaner, VLC, Malwarebytes, Audacity, μTorrent , OBS, Ring, AnyDesk, Libre Office, Teamviewer, Thunderbird and Brave.

Bkav experts recommend:

• Before clicking on a URL, carefully check the path to make sure it doesn't contain strange characters. Malicious links often have domain names that look similar but not exactly like the real link, for example G00gle.com instead of google.com
• Check for viruses before running files with virustotal.com
• Install licensed professional anti-virus software for permanent protection
• Back up important data regularly

Bkav