Ransomware Alert: New Phishing Campaign Delivers Malware Variants

A new ransomware spam campaign designed to infect victims with a variant of ransomware called GrandCrab has surged in the last few days with criminals looking to infect as many victims as possible.

First discovered in January, GrandCrab and the operators have frequently updated the ransomware while altering their attack techniques to effectively maximize their gains from their file-encrypting malware.

Three new samples were discovered by researchers at security firm Fortinet, all of which are being distributed as the payload in a sweeping mass spam campaign. They feature commonly read subjects about tickets, invoices, payments and orders as well as containing a Javascript attachment that, when executed, downloads the malware from a malicious URL.

Researchers said:

“This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply in an attempt to evade specific file signatures.”

The campaign sees tens of thousands of GandCrab spam emails distributed every single day with mail servers based in the United States predictably being the most targeted, with over three quarters of the deliveries. However, the US is currently fourth in the concentration of victims, after Peru, Chile and India.

Victims are rediredcted to a website that can only be accessed by the Tor browser where they are told to purchase a private key, for $400 in the cryptocurrency Dash, to the attackers. That figure doubles when the victim doesn’t fork up within a certain amount of time.

“GandCrab ransomware, or any type of ransomware for that matter, can cause irreversible damage to an infected system,” researchers added. “The best defense against these kinds of attacks is good cyber hygiene and safe practices. In this case, remember that it is always important to be cautious about unsolicited emails, especially those with executable attachments. In addition, if all else fails, make sure you always have a backup stored in an isolated network environment in order to successfully recover a compromised system.”

Image credit: Pixabay.