News

Ransomware via Search Results: Why Your Software Download Policy Is a Security Control

by Rebecca Sutton
by Rebecca Sutton

The assumption that ransomware comes through email is out of date. Ransomware via search results is now a documented, repeating attack route, and a newly published incident report from The DFIR Report confirms it is still working. A staff member searched Bing for business software and clicked a top result. But that download carried a trojanised installer. Forty-four hours later, Akira ransomware had encrypted the organisation’s domain. No phishing email. No suspicious attachment. Just a search.

What Ransomware via Search Results Looks Like in Practice

The technique is called SEO poisoning. Attackers manipulate search rankings to push malicious sites above real vendor pages for software queries. In the case documented this week, the target was ManageEngine OpManager, a network monitoring tool. A convincing lookalike domain called opmanager[.]pro appeared near the top of Bing results. Clicking it led to a download that bundled the real software alongside a loader called Bumblebee.

The installer worked. OpManager launched and ran normally. The Bumblebee DLL loaded in parallel using a technique called side-loading, piggybacking on the legitimate Windows process consent.exe. Because the application performed as expected, the employee had no reason to suspect anything had gone wrong.

Five hours later, the attackers deployed AdaptixC2, an open-source remote access framework, giving them an interactive session on the machine. They created two rogue Enterprise Admin accounts named backup_DA and backup_EA. From there they extracted the entire Active Directory credential database, dumped credentials from Veeam backup systems, and moved across the network. Data exfiltration ran to roughly 77GB, transferred to a server in Ukraine over SFTP.

Forty-four hours from the initial search, ransomware ran. The attackers returned two days later to encrypt a child domain they had missed in the first pass.

A Policy Gap, Not a Technical One

Looking at The DFIR Report’s breakdown, this was a competent campaign but not a sophisticated one. Open-source or common tools handled most of the work. Rogue account names were generic. FileZilla over RDP handled exfiltration. None of this is novel.

What gave the attackers 44 uninterrupted hours was not their skill. In a ransomware via search results scenario, those absent controls are the real vulnerability. No policy restricted software downloads to approved sources. No alert fired when a new Enterprise Admin account appeared. And network segmentation was absent, so a compromised workstation could reach the domain controller unchallenged.

Those are gaps in policy and configuration, not technology failures. A more capable security product would not have closed them. A clearer set of rules and monitored controls would have.

Akira Does Not Need a Novel Entry Point

Akira ransomware has claimed over 1,400 victims since 2023 and collected at least $244 million in ransom, according to FBI and CISA figures. In March 2026, the group posted 84 victims in a single month. They use two main entry routes: SEO-poisoned software downloads and unpatched VPN appliances, particularly Cisco and SonicWall products. Neither requires a zero-day exploit. Both routes bypass email defences, but ransomware via search results is harder to address through standard user training. The UK government has introduced measures to restrict ransomware payments by public sector bodies, but most private sector organisations remain fully exposed.

The software targets in this campaign were chosen deliberately. ManageEngine OpManager, Advanced IP Scanner, WinMTR, Zenmap, MIB Browser: these are tools that IT administrators search for when troubleshooting a network. The attackers are not targeting security researchers with hardened workstations. They are looking for the IT manager who needs a quick download on a busy afternoon.

That is a realistic picture of how networks work in small and mid-sized organisations. Knowing that, the right question is not “could our staff be tricked?” but “what would happen if they were?”

Software Sourcing Is a Security Control

Software sourcing policy is usually treated as a procurement or licensing concern. It should also sit in the security controls list. The question to ask is simple: how do employees currently get software onto company devices?

For many organisations, the honest answer is that they search Google or Bing and download the first result that looks right. Ransomware via search results exploits exactly that habit, and closing the gap does not require specialist vendors or complex tooling. It requires an approved software list, a way for staff to access it without a web search, and application controls that prevent unsigned executables from running on company machines.

The second question: what would an employee do if they needed a specific tool today and it was not already available? If the answer is “find it online and install it”, the policy has a gap.

Alongside software policy, two configuration changes would have significantly disrupted this attack. First, alerting on new Enterprise Admin account creation: accounts named backup_DA created outside normal change management are a reliable indicator of compromise. Second, restricting shadow copy deletion via Group Policy: the attackers deleted all shadow copies before encrypting, removing the most accessible recovery option. That step is preventable.

What a Penetration Test Would Have Found

A penetration test of this environment would surface the same issues. Accounts with excessive privileges, no alerting on new privileged account creation, backup infrastructure reachable from a workstation session, and unrestricted shadow copy deletion: all would show up. But these are not unusual findings. They appear in pen test reports across organisations of every size.

They also appear on remediation lists with a “to address later” status. The ransomware via search results route described here adds urgency to that list. Forty-four hours from a software download to full network encryption is not a slow attack. It is barely enough time to detect it, let alone respond.

If your last penetration test flagged any of these gaps, this incident is a practical argument for moving them up the priority list.

 

Subscribe to our newsletter for a weekly round up of what's happening in the cyber security world

Rebecca is a dedicated cybersecurity writer who specialises in transforming complex technical concepts into clear, accessible content. With a strong background in IT and a passion for digital security, she produces insightful articles, guides, and thought-pieces that bridge the gap between technical experts and wider audiences.

You may also like

StegoAd: What the Browser Extension Malware Campaign Means for Your Organisation

Your Signal Account Is Encrypted. Your Team’s Behaviour Isn’t.

Your Team’s Chrome Ad Blocker Could Be Reading Your Work Sessions

Operation Endgame Took Down the Servers. The People Running Them Are Still Out There

How the Scattered Spider Attack Bypassed TfL’s Defences: Lessons for UK Businesses

ShapedPlugin Backdoor: What WordPress Site Owners Need to Check Right Now

CVE-2026-47729 Squidbleed: Is Your Proxy Leaking Passwords? How to Check and Fix It

Why the Gravity SMTP Vulnerability Should Change How You Think About Plugin Credentials

Is Your EDR Actually Running? How Ransomware Groups Disable It Before You Notice

FortiBleed Shows Patching Is Not Enough to Protect Your Fortinet VPN