GandCrab 2.1 ransomware on the rise with new spam campaign

GandCrab 2.1 ransomware on the rise with new spam campaign

FortiGuard Labs has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware

By Kalle Bjorn, Director – Systems Engineering, Fortinet

Over the past few days, FortiGuard Labs has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware. This article provides a basic overview of this malicious campaign and points out details that can help users identify it.

Spam campaign

The image below is a screenshot from our KTIS (Kadena Threat Intelligence System) that shows the overview of a single spam campaign that led to a GandCrab v2.1 sample being delivered as a payload.

 

 

A screenshot from Fortinet’s KTIS (Kadena Threat Intelligence System) that shows the overview of a single spam campaign that led to a GandCrab v2.1 sample being delivered as a payload

Isolating a branch from the illustration allows us to look at the campaign in more detail, as shown in the following image.

This figure reveals that multiple emails include a Javascript attachment, which when executed downloads a Gandcrab v2.1 variant from a malicious URL.

The graph also shows that at the time of this writing, three unique (different) hashes of Gandcrab v2.1 had already been hosted from the URL.

This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply to evade specific file signatures. Not limiting itself to Gandcrab, the entity behind this IP address is also hosting other malware such as Phorpiex, which is a worm that allows backdoor access and control, and IRCbot which is a Trojan that can provide attackers with remote access to infected system, as well as a coin miner.

 

Isolating a branch from the illustration allows us to look at the campaign in more detail

As mentioned previously, the email spam samples include attached JavaScripts hidden inside archives with the filename format DOC<NUMBERS>.zip.

Their contents are all practically the same as those shown in the next figure. Samples observed contained the following subjects:

  • Document #<NUMBERS>
  • Invoice #<NUMBERS>
  • Order #<NUMBERS>
  • Payment #<NUMBERS>
  • Payment Invoice #<NUMBERS>
  • Ticket #<NUMBERS>
  • Your Document #<NUMBERS>
  • Your Order #<NUMBERS>
  • Your Ticket #<NUMBERS>

 

 

The email spam samples include attached JavaScripts hidden inside archives with the filename format DOC.zip

 

Geographical distribution

The graph below details the spam distribution in terms of the email recipient domains gathered from the collected spam emails over the past week. As can be seen, mail servers hosted in the US are currently the primary recipients of this campaign.

The spam distribution in terms of the email recipient domains gathered from the collected spam emails over the past week

 

On the other hand, the next graph below shows a more general perspective of GandCrab’s actual infection during the past month. Based on timing alone, it can be observed that infection had already gone up at the time of this campaign’s discovery.

GandCrab infection timeline for the past month

 

With regards to actual successful GandCrab infections, India is in the top spot, as shown in the following graph.

The GandCrab infection geographical graph

 

File recovery

Files encrypted with .CRAB extension

The ransom note contains a link to an onion site that the user has to visit using a TOR browser – which is a browser designed for anonymous internet browsing and downloading – in order to purchase a file decryptor.

The page displays the usual ransomware information, such as further instructions and the initial ransom amount, which will be doubled after a certain time. However, we discourage users from paying the ransom as this does not guarantee any actions from the threat actors.

 

 

 

GandCrab v2.1 ransom note

 

The payment page shows a doubled decryption price after the countdown expires

 

Conclusion

GandCrab ransomware, or any type of ransomware for that matter, can cause irreversible damage to an infected system.

The best defence against these kinds of attacks is good cyber hygiene and safe practices. In this case, remember that it is always important to be cautious about unsolicited emails, especially those with executable attachments.

In addition, if all else fails, make sure you always have a backup stored in an isolated network environment in order to successfully recover a compromised system.

As always, FortiGuard Labs will continue monitoring GandCrab’s activity, as well as other malware being distributed by these spam campaigns.

Browse our latest issue

Intelligent CISO

View Magazine Archive