Super Mario is a timeless classic. People from all over the world have unforgettable childhood memories of the game. However, GandCrab Ransomware has embarked on a mission to ruin this memory by misusing the image of the iconic game.
Recently, ransomware removal experts found out that a new type of campaign is spreading to trick users from a specific country: Italy. The campaign delivers different malware along with ransomware to its victims. The payload is entailed in an image. Putting a malicious code in an image is a relatively new technique which is able to bypass anti-malware solutions.
In the beginning, the hacker sends an email to a user which presents itself as a notice for payment. In the email attachments, there is a MS Excel file which is laced with macros. When the users download and open the file, they are tricked into enabling the macros to see its contents.
When users turn on the macros, it executes a random code in the background. Before paralyzing the computer, the malware runs a check to confirm whether or not the victim belongs to Italy or not. If they do not, then no further action is followed. On the other hand, if the victim PC is located in Italy, then an image of Super Mario is downloaded.
The image then initiates the second round in which a virus-filled code from the PowerShell is run through the green and blue image channels. As a consequence, GandCrab Ransomware and other infection mechanism make their entry in the victim’s PC. The experts who identified the malware had to go through an intensive effort to reverse-engineer the code because of a powerful obfuscation: base64 encoding.
Finally, they succeeded and extracted the payload from the malware. Mostly, the files were recognized as GandCrab Ransomware. However, it is expected that the future variants can come up with their own ransomware and malware.
Lessons to Learn from the Debacle
To safeguard yourself in future against this type of attack, adhere to the following safety measures.
- Ensure that the Microsoft Excel in your office or home has disabled the macros feature.
- If you do not want to risk your sensitive data, then as a rule of thumb, stray away from email attachments from unknown senders.
- While the above two safety measures are well-known, the image theatrics of the strain is an area where people are unprepared. If you do not want to engage in GandCrab ransomware removal, then always read the size of any downloaded image. The file with malicious component will have a different size, resolution, and type in comparison to the other images in your system.