Ransomware is still the current biggest software security threat out there. One thing about ransomware that’s so appealing to cybercriminals, aside from its profitability, is its adaptability. And like legitimate software, new ransomware updates regularly emerge, bigger and stronger than ever!
It’s constantly evolving, as cybercriminals change their code to suit their needs and to elude security software. And it’s not just the code that changes regularly, the feature sets and methods for ransomware distribution also keep changing.
In fact, three new variants of a known ransomware strain are currently wreaking havoc and a massive campaign is underway to infect as many computers as possible.
Read on and I’ll tell you what to watch out for to avoid getting victimized by these new malicious strains.
New campaign starring GandCrab 2.1
Beware! A new massive malware campaign has been spotted by researchers at Fortinet and they said that it’s spreading three new variants of a nasty type of ransomware called GandCrab (now at version 2.1).
Apparently, the new campaign is using phishing emails to distribute the new ransomware strains, looking to infect as many victims as possible. Fortinet has been tracking tens of thousands of these GandCrab 2.1 phishing emails every day, with U.S. mail servers as the most popular target. Other countries with high infection rates are Peru, Chile and India.
Beware of these emails
Here’s what you need to watch out for. The malicious emails have typical click-bait subjects like bills, tickets, payments, unclaimed orders and receipts.
Here’s a sample GandCrab 2.1 email:
These attachments have variations of this file name format: FILE #<RANDOM NUMBERS>.zip. These file names will also be the subject lines of the phishing emails.
Subject and file name examples:
- Document #<NUMBERS>
- Invoice #<NUMBERS>
- Order #<NUMBERS>
- Payment #<NUMBERS>
- Payment Invoice #<NUMBERS>
- Ticket #<NUMBERS>
- Your Document #<NUMBERS>
- Your Order #<NUMBERS>
- Your Ticket #<NUMBERS>
When executed, GandCrab 2.1 will encrypt all your personal files – Office documents, photos, videos, music – and it will append the .CRAB extension.
First seen by Malwarebytes researchers on January 26, GandCrab is just like any other ransomware. It locks Windows files using RSA encryption and it will also drop a CRAB-DECRYPT text file within your folders for decryption instructions (the ransom note).
To unlock your files, the ransom note has a link that directs you to a website that can only be accessed via TOR browser – a browser designed to conceal your identity when you’re online. The site will offer a way to purchase a decryption key to unlock the files.
While earlier GandCrab attacks demanded a payment of $1,200 worth of the cryptocurrency Dash, the initial ransom for this campaign stands at $400. The ransom also doubles if the price is not paid within a few days.
Don’t pay the ransom!
How to protect yourself from GandCrab 2.1
Unfortunately, if you do get infected with GandCrab, there are currently no free decryption keys available yet so prevention is your best defense.
Be extra careful about opening your emails. Don’t click links nor open attachments embedded within emails from unknown sources.
Many phishing emails pretend to be from popular sites and services. Don’t fall for these! It’s better to type the website’s address directly into a browser than clicking on a link.
Before you ever click on a link, hover over it with your mouse to see where it is going to take you. If the destination isn’t what the link claims, do not click on it.
And as usual, the best defense against ransomware is a good online backup solution! With the threat of ransomware constantly looming, a reliable backup will always give you the peace of mind you need. We recommend our sponsor IDrive for all your Cloud backup needs! Go to IDrive.com and use promo code Kim to receive an exclusive offer.
In other news, if you use this browser, beware of a new malware attack
Here’s another ongoing malware campaign you need to know about. A zero-day bug is apparently being exploited in Internet Explorer to spread spying malware! How can you protect yourself from this danger? Click here to read more about it.