Porn extortion malware GandCrab is back — and romantic

March 5, 2019

“We hijacked your webcam and nailed you watching porn. And encrypted your data. And now we want ransom.” You may remember that a somewhat similar blackmail scheme saw phenomenal success last year. Well, it seems rumors of the ransomware behind this extortion scam dying are slightly exaggerated.

GandCrab ransomware is back and active as ever. Its developers are constantly launching new versions so as not to lose the hard-won share it currently holds — about 40% of the whole ransomware market. The attackers who rent and propagate GandCrab are also staying current, opting for diversified, creative, and sometimes even romantic tactics to infect victims.

Ransomware for the sentimental

Subject lines with declarations of love may sound appealing, but “My love letter to you,” “Fell in love with you,” and “Wrote my thoughts down about you” actually herald possible disaster. And around Valentine’s Day, Christmas, New Year’s, or your birthday, or even just on a bleak Monday at work, such a message might not even raise alarms. Like every e-mail, however, this kind is worth careful consideration.

The most common variant of a malicious e-mail making rounds these days has a romantic phrase in the subject line, a heart symbol in the body, and an attachment — a ZIP file typically called Love_You followed by several digits. If you extract and execute the JavaScript file that is inside, it’ll download GandCrab ransomware.

Then, you’ll be directed to a note explaining that all of the data on your computer has been encrypted, and you can pay the ransom (likely in bitcoins) to get it back. If you don’t know how to deal with cryptocurrencies, the gang that orchestrated the attack kindly provides a live chat window to teach you how to purchase the necessary amount and pay the ransom.

Ransomware for business

Back in 2017, a patch was released that fixed a vulnerability in a tool used to synchronize data between two management systems for IT companies. But not everyone installed that patch. In 2019 GandCrab is targeting those who didn’t, encrypting all computers they can reach.

The security flaw enables the malefactors to create new administrator accounts and from there push out commands to install the ransomware on the endpoints that are being managed. In other words, they encrypt the machines of the attacked company’s customers and demand a payoff (always in cryptocurrency).

Ransomware for responsible alarmists (everyone)

How many of us would open an e-mail attachment if it said it was an updated emergency exit map for the building where you work? Even if it came from a completely unknown address? Most probably, all of us. In the end, few remember the names of safety managers, anyway.

The attackers started exploiting that opportunity, sending malicious e-mails with a Word file attached. Those who open the document see only the title — “Emergency exit map” — and the Enable Content button. If you click the button, you’ll install the GandCrab ransomware.

Ransomware for payers

Another tactic uses an e-mail that looks like an invoice or a payment confirmation that is available for download from WeTransfer. The link goes to a ZIP or, sometimes, a RAR file, with a password to open it. Guess what’s inside the archive.

Ransomware for Italians

Another variant might use a “payment notice” — in the form of an Excel file attachment. Try to open it and a file dialog will tell you that you can’t preview it online and suggest that you click Enable edit and Enable content to see the content.

Curiously, this specific attack targets Italians exclusively (at least, at the moment). By clicking the required buttons, you enable a script that checks whether your computer is based in Italy, relying on the administrative language of the operating system.

If not, nothing special happens. But if you seem to be in Italy, you get to experience the attacker’s sense of humor, in the form of an image of Mario. You know, the one from Super Mario Bros.

This image of Mario contains malicious code that downloads malware

This image of Mario contains malicious code that downloads malware

The image, downloaded when you click to view the file’s contents, contains malicious PowerShell code and starts to download malware. At the moment, researchers disagree on which malware exactly: GandCrab, which encrypts your data, or Ursnif, which steals your banking and online account credentials. Frankly speaking, it makes little difference; the delivery method is the point here, though those also evolve constantly.

Say no to the greedy crabster

GandCrab is distributed by many different people — it is ransomware-as-a-service, developed by a team of malefactors and rented to other crooks, who try to encrypt as many targets as they can. But, despite the differences in delivery methods, just a few best practices can protect you from GandCrab’s greedy claws. Here they are:

  • When you receive an unexpected e-mail, try to make sure the message is genuine before opening an attachment. For example, give the sender a call.
  • Always have a reliable and tested backup of all of your key data, so it can be restored in case of an emergency.
  • Use a good security suite to make sure no ransomware can infect your computer.

That should be enough to never encounter GandCrab personally. But if your computer is already encrypted by GandCrab, you can still minimize the damage:

  • You may be able to get your files back free of charge — check for the decryption tool on the No More Ransom project website. Some versions of GandCrab ransomware have flaws that allow decryption. Unfortunately, not all versions can be decrypted.
  • Before downloading and starting the decryption tool, use a reliable antivirus solution to remove the ransomware from your device. Otherwise the malware will repeatedly lock your system or encrypt files.