VenusLocker threat group targeting South Korea with the GandCrab ransomware

• The cybercriminals abused EGG files to deliver GandCrab ransomware v4.3.
• The campaign made use of the South Korean language Hangul in the spam emails’ subject and body.

The latest version of the GandCrab ransomware (v4.3) has been used by the VenusLocker threat group to target victims in the South Korea. The cybercriminals abused the EGG files to deliver GandCrab.

Although most users across the globe don’t generally used EGG files, in South Korea however, they have been incredibly popular since 1999, when the South Korean firm ESTsoft developed and released it to the public, Graham Cluley reported.

According to security experts at Trend Micro, who discovered the new GandCrab campaign, VenusLocker hackers have used the South Korean language Hangul in the subject and body of spam emails.

Trend Micro researchers said in a blog that the new campaign began on August 7. The researchers added that between March and July 2018, GandCrab was the second-highest ransomware family detected globally.

VenusLocker reinvented

The new GandCrab campaign is yet another reinvention for the VenusLocker threat group. VenusLocker has a history of targeting South Koreans using phishing campaigns. However, late last year, the group changed its ploy, adopting cryptomining. The group’s previous campaign saw a Monero miner deployed to target South Korean victims.

However, following global trends in the threat landscape, VenusLocker has now switched back to using ransomware, choosing GandCrab - ranked the second most popular in 2018.