Hackers love the holidays, and Valentine’s Day is no exception. Some cybercriminals currently are spreading the love, with a new form of Gandcrab ransomware sliding into target inboxes.
In the weeks preceding February 14, Mimecast researchers noticed cyberattackers and threat groups previously linked to Gandcrab were using the holiday to trick victims into opening malicious emails. Like Christmas, Valentine’s Day is a time when people buy presents for loved ones – and the shopping period gives attackers a wider window of opportunity to strike.
There are several ways they exploit people celebrating Valentine’s Day. Virtual greeting cards, and fraudulent emails offering gifts and flowers, can lure victims into downloading malicious attachments or clicking bad links. Fake surveys, malicious dating apps, and hacked (but legitimate) dating apps and websites, can be used to collect personal and financial information.
“Threat actors will typically leverage holidays throughout the year (tax season, the holidays, etc.) as a way to lure people in with something familiar, so it’s no surprise that these romance-themed campaigns are flourishing around this time,” Mimecast Threat Labs explains.
Now, Gandcrab is spreading via emails with malicious attachments – one of its most popular vectors. Researchers identified emails delivering the same version of Gandcrab with different subject lines related to romance: “This is my love letter to you,” for example, or “Wrote my thoughts down about you.” Attached is a zip file with a name similar to Love_You_2018, plus a few random digits. Executing the file downloads and launches the ransomware.
Infected victims will see a ransom note on their desktop. The note contains a link; if clicked, it asks the user to authenticate by uploading a file created by the malware. Language options offered include English, Korean, and Chinese, could shed light on the victim pool, researchers report.
Submitting the file will bring victims to a page where attackers demand ransom in exchange for their files’ safe return. This campaign wants $2,500 per victim within seven days of the attack. The attackers try to make it easy for their targets, talking them through the steps to make a payment, which researchers explain is likely to increase profits from vulnerable victims.
Gandcrab, New and Old
Gandcrab is only a year old but made a big splash in 2018, infecting more than 50,000 victims and generating at least $600,000 for attackers in the first two months. In March, Gandcrab underwent agile development; in May, campaigns distributed the ransomware via legitimate but poorly secured sites. It was recently seen disguised as a graphic in a Super Mario game.
Its operators have continued to adjust Gandcrab over time; adding new features, improving efficiency, and identifying and eliminating bugs. Several versions of Gandcrab were released throughout the past year; version 5.1.6, the most recent, was spotted on Feb. 13, 2019.
This particular Valentine’s campaign uses Gandcrab version 5.1.0. Like earlier versions, it encrypts victims’ files and changes their file extensions. Victims will notice a text file with the ransom note appear toward the top of their desktop screen; each text file contains a URL with a unique token, which operators use to identify and track each victim of the campaign.
In general, there are a few features that set Gandcrab apart from other ransomware variants. It specifically identifies and avoids Russian victims: if a Russian keyboard is detected, the attack is terminated. Gandcrab also tailors ransom notes to its victims, suggesting a targeted threat. Finally, it uses DASH cryptocurrency to faster, more secure transactions, Mimecast reports.
Gandcrab has also been transformed into a ransomware-as-a-service (RaaS) threat; as a result, some campaigns are linked to the ransomware itself but not necessarily the group developing it. Mimecast found the actors behind Gandcrab have several versions for sale at different prices.
The Valentine’s Gandcrab campaign is one of many threats spreading through cyberspace this time of year. US-CERT this week published a warning to consumers, detailing the online scams found in dating websites and chat services. Most of these are highly targeted social engineering attacks informed by personal information found in dating profiles and social media accounts.
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.
Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio