{"id":25854,"date":"2019-03-04T08:14:47","date_gmt":"2019-03-04T13:14:47","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=25854"},"modified":"2019-11-15T06:29:03","modified_gmt":"2019-11-15T11:29:03","slug":"gandcrab-ransomware-is-back","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/gandcrab-ransomware-is-back\/25854\/","title":{"rendered":"Porn extortion malware GandCrab is back \u2014 and romantic"},"content":{"rendered":"

\u201cWe hijacked your webcam and nailed you watching porn. And encrypted your data. And now we want ransom.\u201d You may remember that a somewhat similar blackmail scheme<\/a> saw phenomenal success last year. Well, it seems rumors of the ransomware<\/a> behind this extortion scam dying are slightly exaggerated.<\/p>\n

GandCrab ransomware<\/strong> is back and active as ever. Its developers are constantly launching new versions so as not to lose the hard-won share it currently holds<\/a> \u2014 about 40% of the whole ransomware market. The attackers who rent and propagate GandCrab are also staying current, opting for diversified, creative, and sometimes even romantic tactics to infect victims.<\/p>\n

Ransomware for the sentimental<\/h2>\n

Subject lines with declarations of love may sound appealing, but \u201cMy love letter to you,\u201d \u201cFell in love with you,\u201d and \u201cWrote my thoughts down about you\u201d actually herald possible disaster. And around Valentine\u2019s Day, Christmas, New Year\u2019s, or your birthday, or even just on a bleak Monday at work, such a message might not even raise alarms. Like every e-mail, however, this kind is worth careful consideration.<\/p>\n

The most common variant of a malicious e-mail making rounds these days has a romantic phrase in the subject line, a heart symbol in the body, and an attachment \u2014 a ZIP file typically called Love_You followed by several digits. If you extract and execute the JavaScript file that is inside, it\u2019ll download GandCrab ransomware.<\/p>\n

Then, you\u2019ll be directed to a note explaining that all of the data on your computer has been encrypted, and you can pay the ransom (likely in bitcoins) to get it back. If you don\u2019t know how to deal with cryptocurrencies, the gang that orchestrated the attack kindly provides a live chat window to teach you how to purchase the necessary amount and pay the ransom.<\/p>\n

Ransomware for business<\/h3>\n

Back in 2017, a patch was released that fixed a vulnerability in a tool used to synchronize data between two management systems for IT companies. But not everyone installed that patch. In 2019 GandCrab is targeting those who didn\u2019t<\/a>, encrypting all computers they can reach.<\/p>\n

The security flaw enables the malefactors to create new administrator accounts and from there push out commands to install the ransomware on the endpoints that are being managed. In other words, they encrypt the machines of the attacked company\u2019s customers and demand a payoff (always in cryptocurrency).<\/p>\n

Ransomware for responsible alarmists (everyone)<\/h3>\n

How many of us would open an e-mail attachment if it said it was an updated emergency exit map for the building where you work? Even if it came from a completely unknown address? Most probably, all of us. In the end, few remember the names of safety managers, anyway.<\/p>\n

The attackers started exploiting that opportunity<\/a>, sending malicious e-mails with a Word file attached. Those who open the document see only the title \u2014 \u201cEmergency exit map\u201d \u2014 and the Enable Content<\/em> button. If you click the button, you\u2019ll install the GandCrab ransomware.<\/p>\n

Ransomware for payers<\/h3>\n

Another tactic uses an e-mail that looks like an invoice or a payment confirmation that is available for download from WeTransfer. The link goes to a ZIP or, sometimes, a RAR file, with a password to open it. Guess what\u2019s inside the archive.<\/p>\n

Ransomware for Italians<\/h3>\n

Another variant might use a \u201cpayment notice\u201d \u2014 in the form of an Excel file attachment. Try to open it and a file dialog will tell you that you can\u2019t preview it online and suggest that you click Enable edit<\/em> and Enable content<\/em> to see the content.<\/p>\n

Curiously, this specific attack targets Italians exclusively<\/a> (at least, at the moment). By clicking the required buttons, you enable a script that checks whether your computer is based in Italy, relying on the administrative language of the operating system.<\/p>\n

If not, nothing special happens. But if you seem to be in Italy, you get to experience the attacker\u2019s sense of humor, in the form of an image of Mario. You know, the one from Super Mario Bros.<\/p>\n

\"This<\/a>

This image of Mario contains malicious code that downloads malware<\/p><\/div>\n

The image, downloaded when you click to view the file\u2019s contents, contains malicious PowerShell code and starts to download malware. At the moment, researchers disagree on which malware exactly: GandCrab<\/a>, which encrypts your data, or Ursnif<\/a>, which steals<\/a> your banking and online account credentials. Frankly speaking, it makes little difference; the delivery method is the point here, though those also evolve constantly.<\/p>\n

Say no to the greedy crabster<\/h3>\n

GandCrab is distributed by many different people \u2014 it is ransomware-as-a-service, developed by a team of malefactors and rented to other crooks, who try to encrypt as many targets as they can. But, despite the differences in delivery methods, just a few best practices can protect you from GandCrab\u2019s greedy claws. Here they are:<\/p>\n