Sextortion Emails Force Payment via GandCrab Ransomware

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

Emails say they contain a link with screenshots of victims’ compromising activity. In reality, the link executes ransomware.

An ongoing sextortion campaign targeting thousands around the United States infects victims with the GandCrab ransomware and demands $500 to decrypt their systems.

Sextortion emails typically ask for money in order to keep silent about compromising adult websites that they supposedly looked at. But this particular campaign takes it a step further, by attaching a link which when clicked then installs the infamous GandCrab ransomware.

“In general, [sextortion] emails simply demand payment to avoid publication of the purported evidence of compromising information,” Proofpoint researchers said in a Friday post. “However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware.”

Researchers, who first spotted the campaign Dec. 5, said it involved thousands of messages that were sent to targets primarily in the U.S.

Victims received email messages from bad actors who claimed to have compromising information about the victims’ activities on adult websites.

The message then threatens to expose a range of the supposedly observed illicit activities, and offers a link where victims can see a “video presentation” of the adult sites and screenshots of themselves (which the bad actors say were taken via the camera on the victims’ device).

Click to Expand

“I’m know that you would not like to show these screenshots to your friends, relatives, or colleagues,” a sample message reads. “I think $381 is a very, very small amount for my silence. Besides, I have been spying on you for so long, having spent a lot of time!”

The URL purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device –  However, it actually leads to AZORult stealer malware, which, in turn, installs GandCrab ransomware.

“This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity,” researchers said.

The ransomware in this case demands a payment of $500 in Bitcoin or open-source cryptocurrency DASH.

There are some slip-ups in the original email that may tip victims off to the fact that it’s all just a scam. For instance, in the beginning of the email, the sender says they have the victims’ account credentials. However, the sender lists the user’s email address as both the account and password.

Click to Expand.

“The supposed password for the potential victim’s email address in this case appears to be the same as the email account,” researchers said. “Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.”

GandCrab has continued to make infosec headlines over the past year, in August taking aim at South Korean victims through emails with EGG attachments, while in May the GandCrab payload was found hiding on legitimate but compromised websites.

The ransomware continues to be profitable: According to research in March by Check Point, the group behind GandCrab has infected over 50,000 victims, mostly in the U.S., U.K. and Scandinavia. And in the first two months that the ransomware crew had been in business, criminals earned up to $600,000.

To avoid such sextortion scams, researchers warned that email users should assume that senders to not possess any screenshots of compromising activity, and should avoid clicking links to verify the sender’s claims.

Suggested articles