Driz Group
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog
  • Managed Services
    • Web Application Security >
      • Schedule WAF Demo
    • Virtual CISO
    • Compliance >
      • SOC1 & SOC2
      • GDPR
    • Third-Party Risk Management
    • Vulnerability Assessment >
      • Free Vulnerability Assessment
  • About us
    • Testimonials
    • Meet The Team
    • Resources
    • In the news
    • Subsidiaries
  • Contact
    • Newsletter
  • Blog

Cybersecurity Blog

Thought leadership. threat analysis, news and alerts.

How to Avoid Being a Victim of Email-Based Ransomware

5/4/2018

0 Comments

 
email based ransomware

How to Avoid Being a Victim of Email-Based Ransomware

The latest version of the ransomware called “GandCrab” is an example of how cyber attackers bait their ransomware victims through email spam campaign.

Last month, security researchers at Fortinet observed a surge in an email spam campaign delivering the latest version of GandCrab ransomware.

GandCrab ransomware is a malicious software (malware) that encrypts files on the compromised computers, locks out users and demands a payment to decrypt or unlock the files.

How Ransomware Victims Are Baited via Email Spam Campaign

The latest version of GandCrab ransomware works by employing spam emails. While these spam emails don’t target specific individuals, it targets specific countries as emails in the US are the primary recipients of this spam campaign, followed by emails in the UK and emails in Canada.

Receivers of these spam emails are tricked into opening these malicious emails as the attackers use these subjects commonly used by people working in an organization:

  • Document # (Numbers)
  • Invoice # (Numbers)
  • Order # (Numbers)
  • Payment # (Numbers)
  • Payment Invoice # (Numbers)
  • Ticket # (Numbers)
  • Your Document # (Numbers)
  • Your Order #(Numbers)
  • Your Ticket # (Numbers)

The spam emails all contain a Javascript attachment with the filename format DOC (Numbers).zip. When this attachment is opened, it downloads the latest version of Gandcrab ransomware from a malicious website.

Once the malware is downloaded to a compromised computer, all the files in the computer are then encrypted, preventing the user to access the files and a ransom note is posted on the computer screen.

This ransom note directs the user to a site using the TOR browser – a browser designed to protect privacy and anonymity. Once accessed, this site tells the victim that files on the compromised computer have been encrypted. The victim is asked to pay USD 800 within a certain period. If payment isn't done within the allowed period, the cost of decrypting the files is doubled.

GandCrab Ransomware Earlier Versions

The first version of GandCrab ransomware first appeared in the wild on January 30, 2018.

This early version of GandCrab ransomware was distributed as well via spam emails purporting to be invoices. The early version of GandCrab ransomware was also distributed via malicious advertisements (malvertisements) linked to malicious websites where the downloading of the GandCrab ransomware is then initiated.

Similar to the latest version of GandCrab, the first version spread into the wild and encrypts the files on the compromised computer. Instead of asking ransom payment in the form of US dollars, the first version of GandCrab asks for a ransom payment in the form of Dash cryptocurrency – the first time this cryptocurrency has been used in a ransomware campaign. In the past, ransomware attackers preferred cryptocurrencies Bitcoin and Monero as ransom payment.

According to Europol, European Union’s law enforcement agency, GandCrab ransomware is run as an affiliate program or ransomware-as-a-service. Anyone who wants to join the GandCrab affiliate program pays 30% to 40% of the ransom revenues to its creator and in return gets a full-featured web panel and technical support.

According to Check Point, as of March 13, 2018, GandCrab has infected over 50,000 computer systems and received an equivalent of USD 300,000 to USD 600,000 in ransom payments.

A tool to decrypt files encrypted by GandCrab (version 1)was developed by a combined effort of the Romanian authorities, Bitdefender and Europol and made available to the public for free.

According to Check Point, the decryptor tool wasn’t a result of a cryptographic breakthrough. It was, however, borne out of the law enforcement arm’s access to the ransomware’s master server, enabling the law enforcement arm to recover all private keys that had been used to perform the encryption made by GandCrab (version 1), evident with the decryptor tool’s dependence on an available victim ID.

Developers of GandCrab, however, regular modify the ransomware, making the decryption tool developed by the Romanian authorities, Bitdefender and Europol useless as it won't bring the files back.

Paying the ransom for the latest version of GandCrab is, therefore, not advisable as this doesn’t guarantee that the attackers have the capability or any intention to decrypt files.

Social Engineering Feature of GandCrab Ransomware

As can be gleaned from the different versions of GandCrab ransomware, social engineering is employed.

Social engineering cyberattack happens when an attacker uses a typical form of human interaction to obtain information about an organization or to compromise the organization’s computer systems.

Today’s human interaction now involves technology. Many human interactions now happen via email exchanges – a form of online communication that withstands even with the advent of new forms of communications like instant messaging, social networking and online chat.

GandCrab isn't the only ransomware that relies on spam emails for its distribution. Other notorious ransomware like Spora and Locky are also distributed through spam emails. For instance, on August 28th last year, in just a matter of 24 hours, over 23 million spam emails were sent carrying the Locky ransomware.

Interesting to note that these 3 ransomware GandCrab, Spora and Locky tricked their victims into opening email attachments laden with ransomware by using the subject “Invoice”.

Prevention

Here are some of the best practices on how to avoid being a victim of email-based ransomware like GandCrab:

  • Train employees to be vigilant in opening email attachments. Unsolicited emails and their attachments should never be opened. Only open email attachments from trusted email sender.
  • Configure your email server to block email that contains file attachments that are commonly used to spread malware such as .vbs, .bat, .exe, .pif and .scr files.
  • Use antispam and antivirus services to block spam emails.
  • Use web filtering service that blocks malicious websites from downloading malicious software.
  • All downloaded software must be scanned for viruses.
  • Always keep all your software up-to-date.
  • Disable AutoPlay to block the automatic launching of executable files on network and removable drives.
0 Comments

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Steve E. Driz, I.S.P., ITCP

    Picture
    View my profile on LinkedIn

    Categories

    All
    0-Day
    2FA
    Access Control
    Advanced Persistent Threat
    AI
    ATP
    Awareness Training
    Botnet
    Bots
    CASL
    Cloud Security
    Compliance
    COVID 19
    COVID-19
    Cryptocurrency
    Cyber Attack
    Cyberattack Surface
    Cyber Espionage
    Cybersecurity
    Cyber Security
    Cyber Security Consulting
    Cyber Security Insurance
    Cyber Security Risk
    Cyber Security Threats
    Data Breach
    Data Governance
    Data Leak
    Data Leak Prevention
    DDoS
    Email Security
    Fraud
    GDPR
    Hacking
    IoT
    Malware
    MFA
    Microsoft Office
    Mobile Security
    Network Security Threats
    Phishing Attack
    Privacy
    Ransomware
    Remote Access
    Social Engineering
    Third-Party Risk
    Virtual CISO
    Vulnerability
    Vulnerability Assessment
    Web Applcation Security
    Web-applcation-security
    Web Application Firewall
    Web Application Protection
    Web Application Security
    Web Protection
    Windows Security

    RSS Feed

1.888.900.DRIZ (3749)

Managed Services
Web Application Security
Compliance
​Vulnerability Assessment
Free Vulnerability Assessment
About us
Testimonials
​Meet the Team
​Subsidiaries
​
Contact us
​
Blog
Resources & Tools
​Incident Management Playbook
Privacy Policy | CASL
Copyright © 2021 Driz Group Inc. All Rights Reserved.
Photo used under Creative Commons from GotCredit