GandCrab Ransomware Sextortion Campaign Targets Thousands

A sextortion attack campaign involving the GandCrab ransomware has been targeting thousands across the U.S.

Reports say that an ongoing sextortion campaign has been targeting thousands of internet users across the United States. The campaign involves the GandCrab ransomware, with which the users get infected upon clicking a link and then they are asked to pay $500 to get their systems decrypted.

Usual sextortion campaigns, as the term itself indicates, typically ask victims for money in return for keeping compromising information about the recipient a secret. Such attacks are becoming quite common these days. This new attack goes a step further and carries a link in the sextortion email which gets the user infected with the already infamous GandCrab ransomware.

Proofpoint researchers, who had observed this campaign on December 5, write about it in a detailed blog post, dated December 7, 2018; the post explains- “So-called “sextortion” scams, in which threat actors send blackmail emails claiming to have compromising information about the recipient and threaten to expose a range of observed illicit activities, are becoming increasingly common. In general, these emails simply demand payment to avoid publication of the purported evidence of compromising information. However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware.”

Thousands of emails were sent to targets primarily in the U.S as part of this campaign. Such an email would claim to have compromising information about the victim and his activities on adult websites. There would also be a threat of sorts in the email, stating that the victim would have to pay a “very, very small amount” for the attacker to keep silent and not show the “attached screenshots” to the victim’s friends, relatives or colleagues. The email would offer a link that would take the user to screenshots of the adult websites that he uses and also the screenshot of the user taken via his devices camera when he was visiting the adult sites. One click on the link and the system would be infected with GandCrab ransomware.

The Proofpoint blog post states, “The URL purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device. However, it actually leads to AZORult stealer malware, which, in turn, installs GandCrab ransomware, version 5.0.4 with affiliate ID “168;777”.”

A sample email would read, “I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?). After that, I made a screenshot of your joys (using the camera of your device) and glued them together. Turned out amazing! You are so spectacular!… As proof of my words, I made a video presentation in Power-Point. And laid out in a private cloud, look You can copy the link below and paste it into the browser:”

Then follows the link, after which the email states, “I’m know that you would not like to show these screenshots to your friends, relatives, or colleagues,” a sample message reads. “I think $381 is a very, very small amount for my silence. Besides, I have been spying on you for so long, having spent a lot of time!”

Proofpoint researchers explain, “This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity… The supposed password for the potential victim’s email address in this case appears to be the same as the email account. Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.”

Once the link is clicked and the ransomware infection happens, the victim would be asked for a ransom- a payment of $500 in Bitcoin or DASH.
Sextortion is a cyberattack technique that makes use of the fears and insecurities of people, endeavoring to convince recipients of the emails, using stolen passwords or other social engineering tricks, that their reputations are at risk.

However, adding a URL to get victims infected by a ransomware is a rather new technique. This results in increased risks for the victim; there is the risk of loss of data and losing access to the computer/network as well.

Researchers say that anyone who receives such an email should assume that the sender doesn’t possess any such screenshots or video and should also refrain from clicking on links or opening attachments to verify the claims.