Leave a comment

Hackers are tricking you into installing this new malware

Hackers are tricking you into installing this new malware
Pete Chase

Ransomware is still the current biggest software security threat out there. One thing about ransomware that's so appealing to cybercriminals, aside from its profitability, is its adaptability. And like legitimate software, new ransomware updates regularly emerge, bigger and stronger than ever!

It's constantly evolving, as cybercriminals change their code to suit their needs and to elude security software. And it's not just the code that changes regularly, the feature sets and methods for ransomware distribution also keep changing.

In fact, three new variants of a known ransomware strain are currently wreaking havoc and a massive campaign is underway to infect as many computers as possible.

Read on and I'll tell you what to watch out for to avoid getting victimized by these new malicious strains.

New campaign starring GandCrab 2.1

Beware! A new massive malware campaign has been spotted by researchers at Fortinet and they said that it's spreading three new variants of a nasty type of ransomware called GandCrab (now at version 2.1).

Apparently, the new campaign is using phishing emails to distribute the new ransomware strains, looking to infect as many victims as possible. Fortinet has been tracking tens of thousands of these GandCrab 2.1 phishing emails every day, with U.S. mail servers as the most popular target. Other countries with high infection rates are Peru, Chile and India.

Photo Credit: Fortinet

Beware of these emails

Here's what you need to watch out for. The malicious emails have typical click-bait subjects like bills, tickets, payments, unclaimed orders and receipts.

Here's a sample GandCrab 2.1 email:

Photo Credit: Fortinet

Once opened, these emails harbor a ZIP attachment with hidden Javascript code that will download and install GandCrab when executed.

These attachments have variations of this file name format: FILE #<RANDOM NUMBERS>.zip. These file names will also be the subject lines of the phishing emails.

Subject and file name examples:

  • Document #<NUMBERS>
  • Invoice #<NUMBERS>
  • Order #<NUMBERS>
  • Payment #<NUMBERS>
  • Payment Invoice #<NUMBERS>
  • Ticket #<NUMBERS>
  • Your Document #<NUMBERS>
  • Your Order #<NUMBERS>
  • Your Ticket #<NUMBERS>

When executed, GandCrab 2.1 will encrypt all your personal files - Office documents, photos, videos, music - and it will append the .CRAB extension.

Photo Credit: Fortinet

First seen by Malwarebytes researchers on January 26, GandCrab is just like any other ransomware. It locks Windows files using RSA encryption and it will also drop a CRAB-DECRYPT text file within your folders for decryption instructions (the ransom note).

Photo Credit: Fortinet

To unlock your files, the ransom note has a link that directs you to a website that can only be accessed via TOR browser - a browser designed to conceal your identity when you're online. The site will offer a way to purchase a decryption key to unlock the files.

While earlier GandCrab attacks demanded a payment of $1,200 worth of the cryptocurrency Dash, the initial ransom for this campaign stands at $400. The ransom also doubles if the price is not paid within a few days.

Photo Credit: Fortinet

Don't pay the ransom!

If you do get hit by the GandCrab 2.1 ransomware, Fortinet warns not to pay the ransomware since it's no guarantee that you'll get your files back. Recent statistics show that only a quarter of people who pay these ransoms actually get their files decrypted.

How to protect yourself from GandCrab 2.1

Unfortunately, if you do get infected with GandCrab, there are currently no free decryption keys available yet so prevention is your best defense.

Be extra careful about opening your emails. Don't click links nor open attachments embedded within emails from unknown sources.

Many phishing emails pretend to be from popular sites and services. Don't fall for these! It's better to type the website's address directly into a browser than clicking on a link.

Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn't what the link claims, do not click on it.

And as usual, the best defense against ransomware is a good online backup solution! With the threat of ransomware constantly looming, a reliable backup will always give you the peace of mind you need. We recommend our sponsor IDrive for all your Cloud backup needs! Go to IDrive.com and use promo code Kim to receive an exclusive offer.

Click here and remember to use promo code Kim to receive 50% off.

In other news, if you use this browser, beware of a new malware attack

Here's another ongoing malware campaign you need to know about. A zero-day bug is apparently being exploited in Internet Explorer to spread spying malware! How can you protect yourself from this danger? Click here to read more about it.

Next Story
Incognito mode isn't as private as you think
Previous Happening Now

Incognito mode isn't as private as you think

Gun owners are ticked off at the new gun emojis
Next Happening Now

Gun owners are ticked off at the new gun emojis

View Comments ()