The malicious program, dubbed GandCrab, was found attached to several emails posing as romantic letters. Victims that downloaded and opened the attachment had their personal data encrypted and held ransom. Notably, researchers found that users with Russian keyboard layouts were intentionally excluded from the attack.
How is #ValentineDay being exploited by threat actors like #GandCrab and what can you do to protect your team? Advice from Threat Labs & @JCDSecurity: https://t.co/DhNBHJ7Fnm pic.twitter.com/iOlX3XDLl1
— Mimecast (@Mimecast) February 14, 2019
Exploiting Valentine’s Day
According to the researchers’ report, the attackers generally included a profession of love in the email’s subject line, enticing the user to click through the message. The body of the email, on the other hand, contained only an asterisk and an attachment disguised to appear as a text file. Once the file was opened, however, users were greeted with a language select screen, allowing them to view the message in either English, Chinese or Korean.
Simultaneously, in the background, the ransomware program not only encrypted user data but also changed file extensions to strings of randomly generated characters. A text file was then placed on the desktop to let the user know that their computer had been compromised. It also provided a unique link where users were asked to pay the ransom amount and obtain a key for decryption.
The Mimecast Threat Labs team found that the amount of money demanded varied between victims. They believe that the exact amount is decided after the value of the data taken ransom has been ascertained.
Notably, the attackers demand that the ransom amount is paid in one of two cryptocurrencies, Bitcoin or Dash. The linked website even includes instructions to walk through the process of buying cryptocurrency and a live chat option for additional assistance.
No End in Sight
Researchers discovered that the GandCrab attackers employed a host of additional target vectors, including but not limited to fake e-greetings, fraudulent emails claiming to contain gifts and other complimentary services, malicious dating apps, and fake customer surveys. The team estimates that the attack could continue to wreak havoc over the next year, specifically during festive seasons when people expect to receive such emails.
The GandCrab outbreak comes roughly two years after crypto-based ransomware attack WannaCry affected 200,000 victims. Even though the initial attack was thwarted within four days after a researcher found a built-in kill switch, the program managed to spread to over 150 countries, causing billions of dollars worth of destruction. Similar to GandCrab, WannaCry demanded that affected users pay anywhere between $300 and $600 via Bitcoin to obtain a decryptor.
Do you know anyone affected by a ransomware attack? Let us hear your stories in the comments below!
Images courtesy of Twitter, Shutterstock.