Ransomware warning: This phishing campaign delivers new malware variants

Tens of thousands of messages are being sent each day in an effort to trick people into installing this particular form of ransomware, say researchers.
Written by Danny Palmer, Senior Writer

A new spam campaign designed to infect victims with GandCrab ransomware has surged over the past few days, as the criminals behind the scheme look to infect as many victims as possible.

GandCrab first emerged in January and those behind it have regularly updated the ransomware and altered their attack techniques in order to maximise profit from the file-encrypting malware.

Analysis by researchers at security company Fortinet found that three new samples of GandCrab 2.1 are being distributed as the payload in a single mass spam campaign.

"This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply in an attempt to evade specific file signatures," said researchers.

Phishing emails feature common subjects about about payments, tickets, invoices and orders and contain a Javascript attachment which when executed, downloads GandCrab from a malicious URL.


A GandCrab distribution email.

Image: Fortinet

Tens of thousands of GandCrab spam emails are being distributed each day, with mail servers hosted in the US by far the most common target, accounting for three quarters of deliveries. When it comes to successful infections, the US currently accounts for the fourth largest percentage of victims, behind Peru, Chile and India.

See also: Ransomware: An executive guide to one of the biggest menaces on the web

Those infected with GandCrab are directed to a site which can only be accessed by the Tor browser, where they can "purchase" a private key to decrypt the files.

A ransom note demands a payment of $400 - which previous GandCrab attacks have demanded be paid in Dash cryptocurrency, which is faster to process and more difficult for the authorities to track than Bitcoin.The figure is doubled if the victim doesn't pay within a certain amount of time.

Fortinet researchers warn those infected by GandCrab not to pay the ransom, because "this does not guarantee any actions from the threat actors". Recent figures suggest that only a quarter of those who do pay a ransom actually get their files decrypted.

The best response to GandCrab and ransomware in general, say researchers, is to "always have a backup stored in an isolated network environment in order to successfully recover a compromised system". They also recommend that the best defence is "good cyber hygiene and safe practices".

While the ransomware threat appears to have declined compared to its peak last year, it still represents a threat to organisations, as attackers adopt new tactics to ensure that infections still return high profits.

Fortinet also note that the IP address distributing GandCrab isn't just limited to ransomware - it's also hosting other malware including the backdoor access and control worm Phorpiex, the IRCbot trojan and a cryptocurrency coin miner.


Editorial standards