It has been a year since GandCrab first emerged and in this short period of time, it has carved a reputation for being one of the most potent cryptovirological threats of late. GandCrab operators constantly release the updated versions of the strain to make it more difficult for ransomware removal experts to come up with its universal decrypter.
Last week, members of a CDM company detected a socially engineered Valentine’s Day email campaign that was centered on GandCrab’s exploit. According to the preliminary findings, cybercriminals are using romantic subject lines in their phishing emails that contain an attachment infested with GandCrab’s payload.
Emails with subjects like ‘Wrote my thoughts down about you’, ‘This is my love letter to you’, ‘Fell in love with you’, and ‘My letter just for you’ with a zip attachment ‘Love_You_2018’ has been sent en mass to lure gullible users in the cryptovirological trap. The attachment is actually a JavaScript executable file which, upon clicking, drops off the cryptovirological script.
While knowing that it’s a scam, many people click on the attachment out of curiosity. On the internet, ‘curiosity can kill the cat’. So, its advised to refrain from clicking on links and attachments if they are sent by unknown and impersonated IDs.
Korean and Chinese Users Might Be the Primary Targets
Once the encryption is done, the screen of the affected device gives victims to choose from English, Chinese and Korean. This suggests that the campaign is primarily designed to hit users in the East. The note gives a seven-day deadline to the victims for getting ransomware removal key in the given extortion amount. After the lapse of the deadline, the victims have to pay double of the actual ransom amount.
A RAAS Campaign
All the infections that researchers have analyzed mention a different ransom amount. It strongly suggests that original GandCrab operators might not behind this ‘seasonal campaign’. Instead, cybercriminals customers might have brought the GandCrab exploit kit from the Dark Web and using it in their Ransomware-As-a-Service (RAAS) campaign.
Besides mentioning the ransom amount and providing the cryptocurrency addresses to pay it, the perpetrators also provide a complete guide in the note for getting a Bitcoin or Dash wallet. They even offer live chat service to assist affected users in paying the ransom.
GandCrab Operators Are Making Money from All Sides
GandCrab operators have been making the most of their cryptovirological product since its launch. They are using it to carry out their own attacks and earning money through extortion for providing ransomware removal. Meanwhile, the sale of GandCrab as a RAAS product is also bringing in profits. With such lucrative prospects, it’s not hard to understand that they will continue to come up with more lethal variants of GandCrab.
