- The spam email contains a message depicting the ‘emergency exit map’ of the recipient's building, wherein the Word doc attachments contain the ransomware.
- GandCrab ransomware was discovered in January 2018 and has affected more than 500,000 systems.
A new malspam campaign in the guise of an ‘emergency exit map’ is making rounds in the cyberspace. Apparently, the spam emails in the campaign carry a false message purporting to be an updated version of an exit map in the recipient’s building. Consequently, Word doc attachments in the email install the nasty GandCrab ransomware.
A blog post by myonlinesecurity.co.uk uncovered the campaign. It appears that the actors use the name ‘Rosie L.Ashton’ and send spam emails under this alias.
“Last night we received several emails to various email addresses on this server using a template we first saw back in Early December 2018. They are still using Rosie L. Ashton as the sender. Then it delivered Ursnif banking trojan. Today it is delivering Gandcrab 5.1 ransomware.” mentions the post of the discovery.
Macros in action
This malspam campaign primarily targets Windows users. The attached document can only be opened by Microsoft Office programs such as Word since they enable macros which is the heart of this operation.
Generally, macros are disabled by Word and are the documents are displayed in ‘protected view’. If by sheer chance, the user enables macros and the ‘protected view’ is turned off, it will run a script that downloads and installs GandCrab version 5.1 into the system. This will result in the user's files getting encrypted and a ransom note getting created on each folder in the system.
Therefor, it is recommended for Windows users to disable macros unless absolutely necessary. On top of this, further precautions need to be taken when opening emails from unknown sources.