Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/14/2019
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Valentine's Emails Laced with Gandcrab Ransomware

In the weeks leading up to Valentine's Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails.

Hackers love the holidays, and Valentine's Day is no exception. Some cybercriminals currently are spreading the love, with a new form of Gandcrab ransomware sliding into target inboxes.

In the weeks preceding February 14, Mimecast researchers noticed cyberattackers and threat groups previously linked to Gandcrab were using the holiday to trick victims into opening malicious emails. Like Christmas, Valentine's Day is a time when people buy presents for loved ones – and the shopping period gives attackers a wider window of opportunity to strike.

There are several ways they exploit people celebrating Valentine's Day. Virtual greeting cards, and fraudulent emails offering gifts and flowers, can lure victims into downloading malicious attachments or clicking bad links. Fake surveys, malicious dating apps, and hacked (but legitimate) dating apps and websites, can be used to collect personal and financial information.

"Threat actors will typically leverage holidays throughout the year (tax season, the holidays, etc.) as a way to lure people in with something familiar, so it's no surprise that these romance-themed campaigns are flourishing around this time," Mimecast Threat Labs explains.

Now, Gandcrab is spreading via emails with malicious attachments – one of its most popular vectors. Researchers identified emails delivering the same version of Gandcrab with different subject lines related to romance: "This is my love letter to you," for example, or "Wrote my thoughts down about you." Attached is a zip file with a name similar to Love_You_2018, plus a few random digits. Executing the file downloads and launches the ransomware.

Infected victims will see a ransom note on their desktop. The note contains a link; if clicked, it asks the user to authenticate by uploading a file created by the malware. Language options offered include English, Korean, and Chinese, could shed light on the victim pool, researchers report.

Submitting the file will bring victims to a page where attackers demand ransom in exchange for their files' safe return. This campaign wants $2,500 per victim within seven days of the attack. The attackers try to make it easy for their targets, talking them through the steps to make a payment, which researchers explain is likely to increase profits from vulnerable victims.

Gandcrab, New and Old

Gandcrab is only a year old but made a big splash in 2018, infecting more than 50,000 victims and generating at least $600,000 for attackers in the first two months. In March, Gandcrab underwent agile development; in May, campaigns distributed the ransomware via legitimate but poorly secured sites. It was recently seen disguised as a graphic in a Super Mario game.

Its operators have continued to adjust Gandcrab over time; adding new features, improving efficiency, and identifying and eliminating bugs. Several versions of Gandcrab were released throughout the past year; version 5.1.6, the most recent, was spotted on Feb. 13, 2019.

This particular Valentine's campaign uses Gandcrab version 5.1.0. Like earlier versions, it encrypts victims' files and changes their file extensions. Victims will notice a text file with the ransom note appear toward the top of their desktop screen; each text file contains a URL with a unique token, which operators use to identify and track each victim of the campaign.

In general, there are a few features that set Gandcrab apart from other ransomware variants. It specifically identifies and avoids Russian victims: if a Russian keyboard is detected, the attack is terminated. Gandcrab also tailors ransom notes to its victims, suggesting a targeted threat. Finally, it uses DASH cryptocurrency to faster, more secure transactions, Mimecast reports.

Gandcrab has also been transformed into a ransomware-as-a-service (RaaS) threat; as a result, some campaigns are linked to the ransomware itself but not necessarily the group developing it. Mimecast found the actors behind Gandcrab have several versions for sale at different prices.

The Valentine's Gandcrab campaign is one of many threats spreading through cyberspace this time of year. US-CERT this week published a warning to consumers, detailing the online scams found in dating websites and chat services. Most of these are highly targeted social engineering attacks informed by personal information found in dating profiles and social media accounts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanSTORM
50%
50%
BogdanSTORM,
User Rank: Apprentice
2/17/2019 | 1:26:23 AM
Encountered - Engaged - Damaged
I had an encounter this week with Grandcrab 5.1 and unfortunately not even Bitdefender is able to decode it. They can do it with versions up to 5.0, but not 5.1.

How did I engage? I tried to help a friend, inserted my usb stick, turned on the internet as it was needed for my action and Gradcrab 5.1 activated.

I didn't realize it until I noticed that some files from my usb stick changed names. 

I was also amazed by the led of usb stick running wild after turning internet on. I knew something was wrong. That was the crypting doing its job.

In 3 minutes the entire folders with txt, docs and zip files were damaged / encrypted.

Luckly I had backups and so my friend, but one thing is obvious: Windows Defender defended NOTHING.

Other systems from same place with Bitdefender installed with Antiransomware and preboot options active were protected.

This is not advertising to this AV provider, it's just a happy case with one damaged computer from 7.

We saved some encrypted files for future use and see if any decryptor will help, but it will be at least 6 months until one will be public.

Thank you
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 9:04:46 AM
My suggested email rule
Easy..

 

IF you don't need it, don't READ it, DELETE IT
HackerOne Drops Mobile Voting App Vendor Voatz
Dark Reading Staff 3/30/2020
Limited-Time Free Offers to Secure the Enterprise Amid COVID-19
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/31/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11547
PUBLISHED: 2020-04-05
PRTG Network Monitor before 20.1.57.1745 allows remote unauthenticated attackers to obtain information about probes running or the server itself (CPU usage, memory, Windows version, and internal statistics) via an HTTP request, as demonstrated by type=probes to login.htm or index.htm.
CVE-2020-11548
PUBLISHED: 2020-04-05
The Search Meter plugin through 2.13.2 for WordPress allows user input introduced in the search bar to be any formula. The attacker could achieve remote code execution via CSV injection if a wp-admin/index.php?page=search-meter Export is performed.
CVE-2020-11542
PUBLISHED: 2020-04-04
3xLOGIC Infinias eIDC32 2.213 devices with Web 1.107 allow Authentication Bypass via CMD.HTM?CMD= because authentication depends on the client side's interpretation of the <KEY>MYKEY</KEY> substring.
CVE-2020-11533
PUBLISHED: 2020-04-04
Ivanti Workspace Control before 10.4.30.0, when SCCM integration is enabled, allows local users to obtain sensitive information (keying material).
CVE-2020-11529
PUBLISHED: 2020-04-04
Common/Grav.php in Grav before 1.6.23 has an Open Redirect.