Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/14/2019
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Valentine's Emails Laced with Gandcrab Ransomware

In the weeks leading up to Valentine's Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails.

Hackers love the holidays, and Valentine's Day is no exception. Some cybercriminals currently are spreading the love, with a new form of Gandcrab ransomware sliding into target inboxes.

In the weeks preceding February 14, Mimecast researchers noticed cyberattackers and threat groups previously linked to Gandcrab were using the holiday to trick victims into opening malicious emails. Like Christmas, Valentine's Day is a time when people buy presents for loved ones – and the shopping period gives attackers a wider window of opportunity to strike.

There are several ways they exploit people celebrating Valentine's Day. Virtual greeting cards, and fraudulent emails offering gifts and flowers, can lure victims into downloading malicious attachments or clicking bad links. Fake surveys, malicious dating apps, and hacked (but legitimate) dating apps and websites, can be used to collect personal and financial information.

"Threat actors will typically leverage holidays throughout the year (tax season, the holidays, etc.) as a way to lure people in with something familiar, so it's no surprise that these romance-themed campaigns are flourishing around this time," Mimecast Threat Labs explains.

Now, Gandcrab is spreading via emails with malicious attachments – one of its most popular vectors. Researchers identified emails delivering the same version of Gandcrab with different subject lines related to romance: "This is my love letter to you," for example, or "Wrote my thoughts down about you." Attached is a zip file with a name similar to Love_You_2018, plus a few random digits. Executing the file downloads and launches the ransomware.

Infected victims will see a ransom note on their desktop. The note contains a link; if clicked, it asks the user to authenticate by uploading a file created by the malware. Language options offered include English, Korean, and Chinese, could shed light on the victim pool, researchers report.

Submitting the file will bring victims to a page where attackers demand ransom in exchange for their files' safe return. This campaign wants $2,500 per victim within seven days of the attack. The attackers try to make it easy for their targets, talking them through the steps to make a payment, which researchers explain is likely to increase profits from vulnerable victims.

Gandcrab, New and Old

Gandcrab is only a year old but made a big splash in 2018, infecting more than 50,000 victims and generating at least $600,000 for attackers in the first two months. In March, Gandcrab underwent agile development; in May, campaigns distributed the ransomware via legitimate but poorly secured sites. It was recently seen disguised as a graphic in a Super Mario game.

Its operators have continued to adjust Gandcrab over time; adding new features, improving efficiency, and identifying and eliminating bugs. Several versions of Gandcrab were released throughout the past year; version 5.1.6, the most recent, was spotted on Feb. 13, 2019.

This particular Valentine's campaign uses Gandcrab version 5.1.0. Like earlier versions, it encrypts victims' files and changes their file extensions. Victims will notice a text file with the ransom note appear toward the top of their desktop screen; each text file contains a URL with a unique token, which operators use to identify and track each victim of the campaign.

In general, there are a few features that set Gandcrab apart from other ransomware variants. It specifically identifies and avoids Russian victims: if a Russian keyboard is detected, the attack is terminated. Gandcrab also tailors ransom notes to its victims, suggesting a targeted threat. Finally, it uses DASH cryptocurrency to faster, more secure transactions, Mimecast reports.

Gandcrab has also been transformed into a ransomware-as-a-service (RaaS) threat; as a result, some campaigns are linked to the ransomware itself but not necessarily the group developing it. Mimecast found the actors behind Gandcrab have several versions for sale at different prices.

The Valentine's Gandcrab campaign is one of many threats spreading through cyberspace this time of year. US-CERT this week published a warning to consumers, detailing the online scams found in dating websites and chat services. Most of these are highly targeted social engineering attacks informed by personal information found in dating profiles and social media accounts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanSTORM
50%
50%
BogdanSTORM,
User Rank: Apprentice
2/17/2019 | 1:26:23 AM
Encountered - Engaged - Damaged
I had an encounter this week with Grandcrab 5.1 and unfortunately not even Bitdefender is able to decode it. They can do it with versions up to 5.0, but not 5.1.

How did I engage? I tried to help a friend, inserted my usb stick, turned on the internet as it was needed for my action and Gradcrab 5.1 activated.

I didn't realize it until I noticed that some files from my usb stick changed names. 

I was also amazed by the led of usb stick running wild after turning internet on. I knew something was wrong. That was the crypting doing its job.

In 3 minutes the entire folders with txt, docs and zip files were damaged / encrypted.

Luckly I had backups and so my friend, but one thing is obvious: Windows Defender defended NOTHING.

Other systems from same place with Bitdefender installed with Antiransomware and preboot options active were protected.

This is not advertising to this AV provider, it's just a happy case with one damaged computer from 7.

We saved some encrypted files for future use and see if any decryptor will help, but it will be at least 6 months until one will be public.

Thank you
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 9:04:46 AM
My suggested email rule
Easy..

 

IF you don't need it, don't READ it, DELETE IT
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...