Emails say they contain a link with screenshots of victims’ compromising activity. In reality, the link executes ransomware.

Georgi Spasov
04 Jan 2020

An ongoing sextortion campaign targeting thousands around the United States infects victims with the GandCrab ransomware and demands $500 to decrypt their systems.

Sextortion emails typically ask for money in order to keep silent about compromising adult websites that they supposedly looked at. But this particular campaign takes it a step further, by attaching a link which when clicked then installs the infamous GandCrab ransomware. </span> “In general, *sextortion* emails simply demand payment to avoid publication of the purported evidence of compromising information,” Proofpoint researchers said in a Friday post. “However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware." Researchers, who first spotted the campaign Dec. 5, said it involved thousands of messages that were sent to targets primarily in the U.S. Victims received email messages from bad actors who claimed to have compromising information about the victims’ activities on adult websites. The message then threatens to expose a range of the supposedly observed illicit activities, and offers a link where victims can see a “video presentation” of the adult sites and screenshots of themselves (which the bad actors say were taken via the camera on the victims’ device). “The supposed password for the potential victim’s email address in this case appears to be the same as the email account,” researchers said. “Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.” GandCrab has continued to make infosec headlines over the past year, in August taking aim at South Korean victims through emails with EGG attachments, while in May the GandCrab payload was found hiding on legitimate but compromised websites. The ransomware continues to be profitable: According to research in March by Check Point, the group behind GandCrab has infected over 50,000 victims, mostly in the U.S., U.K. and Scandinavia. And in the first two months that the ransomware crew had been in business, criminals earned up to $600,000. To avoid such sextortion scams, researchers warned that email users should assume that senders to not possess any screenshots of compromising activity, and should avoid clicking links to verify the sender’s claims.

Georgi Spasov

Georgi Spasov

Georgi was the Bulgarian POC for high-tech crimes during his work as a cybercrime forensic investigator. Now, as a fullstack developer, he contributes with his knowledge in building highly available software solutions.

comments powered by Disqus

PhaaS Request Submission