The Mozilla Foundation has warned users that ransomware actors are abusing its Mozilla Thunderbird email client to deceive potential victims.

The organization said that some of the ransomware gangs, more specifically Snatch, use malicious advertisements designed to trick people into installing malware disguised as popular software such as Microsoft Teams, Adobe Reader, Mozilla Thunderbird, and Discord.

“Remember that the Thunderbird project doesn’t require payments for downloading the Thunderbird software (although you may see a donation request when downloading from thunderbird.net), so if you are being demanded for payment for a properly working Thunderbird, something is surely wrong with the package you are downloading,” Mozilla said.

The organization added that it is trying to take down these malicious websites, although without much success, since they are hosted in Russia.

Earlier this month, the US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) published Indicators of Compromise (IoCs) and tactics, techniques, and procedures (TTPs) associated with the Snatch ransomware group known for their attacks on critical infrastructure sectors including the defense industrial base (DIB), food and agriculture, and IT sectors.

Snatch’s tactics involve data exfiltration and double extortion. After stealing data, Snatch threat actors may threaten victims with double extortion, where the victims’ data will be posted on Snatch’s data leak website if the ransom is not paid.