Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. Threat analysis. Cybersecurity news and alerts.

How to Avoid Being a Victim of Email-Based Ransomware

5/4/2018

0 Comments

 
email based ransomware

How to Avoid Being a Victim of Email-Based Ransomware

The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.

Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.

GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.

How Ransomware Victims Are Baited via Email Spam Campaign

The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.

Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:

  • Document # (Numbers)
  • Invoice # (Numbers)
  • Order # (Numbers)
  • Payment # (Numbers)
  • Payment Invoice # (Numbers)
  • Ticket # (Numbers)
  • Your Document # (Numbers)
  • Your Order #(Numbers)
  • Your Ticket # (Numbers)

The spam emails all contain a Javascript attachment with the filename format DOC (Numbers).zip. When this attachment is opened, it downloads the latest version of Gandcrab ransomware from a malicious website.

Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.

This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.

GandCrab Ransomware Earlier Versions

The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.

This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.

Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.

According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.

According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.

A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.

According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.

Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.

Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.

Social Engineering Feature of GandCrab Ransomware

As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.

Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.

Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.

GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.

Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.

Prevention

Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:

  • Train employees to be vigilant in opening email attachments. Unsolicited emails and their attachments should never be opened. Only open email attachments from trusted email sender.
  • Configure your email server to block email that contains file attachments that are commonly used to spread malware such as .vbs, .bat, .exe, .pif and .scr files.
  • Use antispam and antivirus services to block spam emails.
  • Use web filtering service that blocks malicious websites from downloading malicious software.
  • All downloaded software must be scanned for viruses.
  • Always keep all your software up-to-date.
  • Disable AutoPlay to block the automatic launching of executable files on network and removable drives.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Archives

    September 2021
    August 2021
    July 2021
    June 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    December 2016
    October 2016
    August 2016
    May 2016
    March 2016
    January 2016
    November 2015
    October 2015
    August 2015
    June 2015

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    Brute Force Attack
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    SaaS Security
    Social Engineering
    Supply Chain Attack
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security
    Zero Trust

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​Contact us
​Blog
Resources & Tools
​Incident Management Playbook
Sophos authorized partner logo
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit