Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/14/2019
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Valentine's Emails Laced with Gandcrab Ransomware

In the weeks leading up to Valentine's Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails.

Hackers love the holidays, and Valentine's Day is no exception. Some cybercriminals currently are spreading the love, with a new form of Gandcrab ransomware sliding into target inboxes.

In the weeks preceding February 14, Mimecast researchers noticed cyberattackers and threat groups previously linked to Gandcrab were using the holiday to trick victims into opening malicious emails. Like Christmas, Valentine's Day is a time when people buy presents for loved ones – and the shopping period gives attackers a wider window of opportunity to strike.

There are several ways they exploit people celebrating Valentine's Day. Virtual greeting cards, and fraudulent emails offering gifts and flowers, can lure victims into downloading malicious attachments or clicking bad links. Fake surveys, malicious dating apps, and hacked (but legitimate) dating apps and websites, can be used to collect personal and financial information.

"Threat actors will typically leverage holidays throughout the year (tax season, the holidays, etc.) as a way to lure people in with something familiar, so it's no surprise that these romance-themed campaigns are flourishing around this time," Mimecast Threat Labs explains.

Now, Gandcrab is spreading via emails with malicious attachments – one of its most popular vectors. Researchers identified emails delivering the same version of Gandcrab with different subject lines related to romance: "This is my love letter to you," for example, or "Wrote my thoughts down about you." Attached is a zip file with a name similar to Love_You_2018, plus a few random digits. Executing the file downloads and launches the ransomware.

Infected victims will see a ransom note on their desktop. The note contains a link; if clicked, it asks the user to authenticate by uploading a file created by the malware. Language options offered include English, Korean, and Chinese, could shed light on the victim pool, researchers report.

Submitting the file will bring victims to a page where attackers demand ransom in exchange for their files' safe return. This campaign wants $2,500 per victim within seven days of the attack. The attackers try to make it easy for their targets, talking them through the steps to make a payment, which researchers explain is likely to increase profits from vulnerable victims.

Gandcrab, New and Old

Gandcrab is only a year old but made a big splash in 2018, infecting more than 50,000 victims and generating at least $600,000 for attackers in the first two months. In March, Gandcrab underwent agile development; in May, campaigns distributed the ransomware via legitimate but poorly secured sites. It was recently seen disguised as a graphic in a Super Mario game.

Its operators have continued to adjust Gandcrab over time; adding new features, improving efficiency, and identifying and eliminating bugs. Several versions of Gandcrab were released throughout the past year; version 5.1.6, the most recent, was spotted on Feb. 13, 2019.

This particular Valentine's campaign uses Gandcrab version 5.1.0. Like earlier versions, it encrypts victims' files and changes their file extensions. Victims will notice a text file with the ransom note appear toward the top of their desktop screen; each text file contains a URL with a unique token, which operators use to identify and track each victim of the campaign.

In general, there are a few features that set Gandcrab apart from other ransomware variants. It specifically identifies and avoids Russian victims: if a Russian keyboard is detected, the attack is terminated. Gandcrab also tailors ransom notes to its victims, suggesting a targeted threat. Finally, it uses DASH cryptocurrency to faster, more secure transactions, Mimecast reports.

Gandcrab has also been transformed into a ransomware-as-a-service (RaaS) threat; as a result, some campaigns are linked to the ransomware itself but not necessarily the group developing it. Mimecast found the actors behind Gandcrab have several versions for sale at different prices.

The Valentine's Gandcrab campaign is one of many threats spreading through cyberspace this time of year. US-CERT this week published a warning to consumers, detailing the online scams found in dating websites and chat services. Most of these are highly targeted social engineering attacks informed by personal information found in dating profiles and social media accounts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanSTORM
50%
50%
BogdanSTORM,
User Rank: Apprentice
2/17/2019 | 1:26:23 AM
Encountered - Engaged - Damaged
I had an encounter this week with Grandcrab 5.1 and unfortunately not even Bitdefender is able to decode it. They can do it with versions up to 5.0, but not 5.1.

How did I engage? I tried to help a friend, inserted my usb stick, turned on the internet as it was needed for my action and Gradcrab 5.1 activated.

I didn't realize it until I noticed that some files from my usb stick changed names. 

I was also amazed by the led of usb stick running wild after turning internet on. I knew something was wrong. That was the crypting doing its job.

In 3 minutes the entire folders with txt, docs and zip files were damaged / encrypted.

Luckly I had backups and so my friend, but one thing is obvious: Windows Defender defended NOTHING.

Other systems from same place with Bitdefender installed with Antiransomware and preboot options active were protected.

This is not advertising to this AV provider, it's just a happy case with one damaged computer from 7.

We saved some encrypted files for future use and see if any decryptor will help, but it will be at least 6 months until one will be public.

Thank you
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 9:04:46 AM
My suggested email rule
Easy..

 

IF you don't need it, don't READ it, DELETE IT
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
How a Manufacturing Firm Recovered from a Devastating Ransomware Attack
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Could you pass the hash, I really have to use the bathroom!
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9892
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 5.x through 5.0.34, 6.x through 6.0.17, and 7.x through 7.0.6. An attacker who is logged into OTRS as an agent user with appropriate permissions may try to import carefully crafted Report Statistics XML that will result in reading of arbit...
CVE-2019-10066
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6, Community Edition 6.0.x through 6.0.17, and OTRSAppointmentCalendar 5.0.x through 5.0.12. An attacker who is logged into OTRS as an agent with appropriate permissions may create a carefully crafted calendar appointment i...
CVE-2019-10067
PUBLISHED: 2019-05-22
An issue was discovered in Open Ticket Request System (OTRS) 7.x through 7.0.6 and Community Edition 5.0.x through 5.0.35 and 6.0.x through 6.0.17. An attacker who is logged into OTRS as an agent user with appropriate permissions may manipulate the URL to cause execution of JavaScript in the context...
CVE-2019-6513
PUBLISHED: 2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVE-2019-12270
PUBLISHED: 2019-05-21
OpenText Brava! Enterprise and Brava! Server 7.5 through 16.4 configure excessive permissions by default on Windows. During installation, a displaylistcache file share is created on the Windows server with full read and write permissions for the Everyone group at both the NTFS and Share levels. The ...