New GandCrab 2.1 variants being distributed to victims in mass spam campaign

Researchers have found three new variants of the infamous GandCrab ransomware are being distributed to victims in tens of thousands of spam emails every day. According to Fortinet researchers, samples of GandCrab 2.1 are being delivered as the payload in a single mass spam campaign.

These phishing emails contain a Javascript attachment and focus on commonly used, time-sensitive subjects such as credit card payments, travel tickets, purchase invoices, and online orders designed to prompt an immediate response and click-through from the user. Once the attachment is executed, it downloads a Gandcrab v2.1 variant from a malicious URL.

"Not limiting itself to Gandcrab, the entity behind this IP address is also hosting other malware, such as Phorpiex, which is a worm that allows backdoor access and control, and IRCbot which is a Trojan that can provide attackers with remote access to infected system, as well as a coin miner," researchers noted in a blog post.

A sample phishing email discovered by Fortinet can be seen below:

Image credit: Fortinet

Upon execution, GandCrab encrypts all files on the infected machine including personal and office documents, photos, videos and music files. All encrypted files have the .CRAB extension appended.

GandCrab uses an RSA algorithm to encrypt victim's files and includes a CRAB-DECRYPT.txt file that displays the decryption instructions. Earlier, Gandcrab attacks demanded a ransom of around $1200 worth of Dash. Now, the ransomware demands victims pay up $400 and warn the ransom will be if not paid within a few days. The payment link from the ransom note directs you to a website that can only be accessed through a TOR browser.

Image credit: Fortinet

GandCrab was first discovered by Malwarebytes researchers on January 26, 2018. Since then, the attackers behind the ransomware are found to be regularly updating their malware and attack methods. Experts suggest victims should not pay the ransom as there is no guarantee their files will be decrypted.

GrandCrab or other ransomware attacks can be prevented by employing good cybersecurity hygiene and digital security practices. Users should be wary of any unsolicited emails and executable attachments, given that many come disguised as messages from popular companies and services. It is also recommended to have a secondary data backup in an isolated network environment to safely recover user data given that any ransomware can cause irreversible damage to an infected machine and user data.