Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

2/14/2019
04:35 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Valentine's Emails Laced with Gandcrab Ransomware

In the weeks leading up to Valentine's Day 2019, researchers notice a new form of Gandcrab appearing in romance-themed emails.

Hackers love the holidays, and Valentine's Day is no exception. Some cybercriminals currently are spreading the love, with a new form of Gandcrab ransomware sliding into target inboxes.

In the weeks preceding February 14, Mimecast researchers noticed cyberattackers and threat groups previously linked to Gandcrab were using the holiday to trick victims into opening malicious emails. Like Christmas, Valentine's Day is a time when people buy presents for loved ones – and the shopping period gives attackers a wider window of opportunity to strike.

There are several ways they exploit people celebrating Valentine's Day. Virtual greeting cards, and fraudulent emails offering gifts and flowers, can lure victims into downloading malicious attachments or clicking bad links. Fake surveys, malicious dating apps, and hacked (but legitimate) dating apps and websites, can be used to collect personal and financial information.

"Threat actors will typically leverage holidays throughout the year (tax season, the holidays, etc.) as a way to lure people in with something familiar, so it's no surprise that these romance-themed campaigns are flourishing around this time," Mimecast Threat Labs explains.

Now, Gandcrab is spreading via emails with malicious attachments – one of its most popular vectors. Researchers identified emails delivering the same version of Gandcrab with different subject lines related to romance: "This is my love letter to you," for example, or "Wrote my thoughts down about you." Attached is a zip file with a name similar to Love_You_2018, plus a few random digits. Executing the file downloads and launches the ransomware.

Infected victims will see a ransom note on their desktop. The note contains a link; if clicked, it asks the user to authenticate by uploading a file created by the malware. Language options offered include English, Korean, and Chinese, could shed light on the victim pool, researchers report.

Submitting the file will bring victims to a page where attackers demand ransom in exchange for their files' safe return. This campaign wants $2,500 per victim within seven days of the attack. The attackers try to make it easy for their targets, talking them through the steps to make a payment, which researchers explain is likely to increase profits from vulnerable victims.

Gandcrab, New and Old

Gandcrab is only a year old but made a big splash in 2018, infecting more than 50,000 victims and generating at least $600,000 for attackers in the first two months. In March, Gandcrab underwent agile development; in May, campaigns distributed the ransomware via legitimate but poorly secured sites. It was recently seen disguised as a graphic in a Super Mario game.

Its operators have continued to adjust Gandcrab over time; adding new features, improving efficiency, and identifying and eliminating bugs. Several versions of Gandcrab were released throughout the past year; version 5.1.6, the most recent, was spotted on Feb. 13, 2019.

This particular Valentine's campaign uses Gandcrab version 5.1.0. Like earlier versions, it encrypts victims' files and changes their file extensions. Victims will notice a text file with the ransom note appear toward the top of their desktop screen; each text file contains a URL with a unique token, which operators use to identify and track each victim of the campaign.

In general, there are a few features that set Gandcrab apart from other ransomware variants. It specifically identifies and avoids Russian victims: if a Russian keyboard is detected, the attack is terminated. Gandcrab also tailors ransom notes to its victims, suggesting a targeted threat. Finally, it uses DASH cryptocurrency to faster, more secure transactions, Mimecast reports.

Gandcrab has also been transformed into a ransomware-as-a-service (RaaS) threat; as a result, some campaigns are linked to the ransomware itself but not necessarily the group developing it. Mimecast found the actors behind Gandcrab have several versions for sale at different prices.

The Valentine's Gandcrab campaign is one of many threats spreading through cyberspace this time of year. US-CERT this week published a warning to consumers, detailing the online scams found in dating websites and chat services. Most of these are highly targeted social engineering attacks informed by personal information found in dating profiles and social media accounts.

Related Content:

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BogdanSTORM
50%
50%
BogdanSTORM,
User Rank: Apprentice
2/17/2019 | 1:26:23 AM
Encountered - Engaged - Damaged
I had an encounter this week with Grandcrab 5.1 and unfortunately not even Bitdefender is able to decode it. They can do it with versions up to 5.0, but not 5.1.

How did I engage? I tried to help a friend, inserted my usb stick, turned on the internet as it was needed for my action and Gradcrab 5.1 activated.

I didn't realize it until I noticed that some files from my usb stick changed names. 

I was also amazed by the led of usb stick running wild after turning internet on. I knew something was wrong. That was the crypting doing its job.

In 3 minutes the entire folders with txt, docs and zip files were damaged / encrypted.

Luckly I had backups and so my friend, but one thing is obvious: Windows Defender defended NOTHING.

Other systems from same place with Bitdefender installed with Antiransomware and preboot options active were protected.

This is not advertising to this AV provider, it's just a happy case with one damaged computer from 7.

We saved some encrypted files for future use and see if any decryptor will help, but it will be at least 6 months until one will be public.

Thank you
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
2/15/2019 | 9:04:46 AM
My suggested email rule
Easy..

 

IF you don't need it, don't READ it, DELETE IT
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.