Ransomware warning: That romantic message may hide a nasty surprise

Cyber extortionists are sending 'romantic' phishing emails to distribute file-locking malware, warn researchers.
Written by Danny Palmer, Senior Writer

Perhaps think twice before opening that romantic message, because cyber criminals are exploiting Valentine's Day as a means of distributing a prolific form ransomware.

GandCrab first emerged in January last year and has gone on to become one of the most successful families of file-encrypting malware, with its creators regularly updating it with new tricks and techniques.

Now the ransomware is being sent to potential victims in phishing emails with romantic subject lines to coincide with Valentine's Day in a campaign which has been detailed by security researchers at Mimecast.

While campaigns relating to holidays have traditionally focused on consumers, they're increasingly targeting business email accounts — providing attackers with a means of encrypting corporate networks and demanding larger ransoms than they could squeeze out of individual victims.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)

Subject lines used in this GandCrab campaign all relate to romance. Examples include 'This is my love letter to you', 'Wrote my thoughts down about you', 'My letter just for you', and 'Felt in love with you'.

The body of the email only contains a * symbol and comes with an attachment — a zip file containing a JavaScript file. The file name follows the same pattern in every malicious email — 'Love_You_2018_' followed by seven or eight random digits.

If the user chooses to extract and execute the JavaScript file, it'll download and execute GandCrab ransomware form a malicious URL embedded in the script.

Before the ransom note is presented to the victim, they're asked to select a language to see it in — English, Korean or Chinese, something which researchers suggest indicates the main targets of those behind GandCrab.

After this, the user is directed to a ransom note explaining that their computer has been encrypted and that they need to pay a ransom in Bitcoin or DASH cryptocurrency in order to get their data back.

ALSO: Robot Love: Why romance with machines is a foregone conclusion 

The victim is told the ransom will be doubled if they don't pay within seven days — and is offered advice on how to purchase and use cryptocurrency. The attackers even provide a live chat window to 'help' the victims pay the ransom demand.

Researchers note that the ransom payments differ according to the victim, indicating an aspect of planning behind the attacks — and that it's possible that the Valentine's Day campaign might not be the work of the GandCrab authors themselves, but rather cyber criminal customers using it as part of a ransomware-as-a-service (RaaS) campaign

GandCrab remains one of the most potent ransomware threats around and it's expected to continue to plague organisations for some time yet.

"It's likely we will continue to see them update the versions. Releasing more versions will enable them to stay ahead of detection and continue to offer this as a RaaS to increase their profits," Mimecast told ZDNet.

However, organisations can look to avoid falling victim to it by training users to be mindful of strange or unexpected email messages — or by deploying suitable security software.


Editorial standards