Skip to content ↓ | Skip to navigation ↓

Digital criminals have launched a new sextortion campaign that attempts to infect users’ computers with a version of GandCrab ransomware.

On 5 December, researchers at Proofpoint observed a scam operation spewing out thousands of emails to users primarily based in the United States. Its emails followed the same model as those of an earlier campaign in that they claimed the attackers had compromised recipients’ computers and subsequently captured the login credentials for their email accounts. In that previous operation, the digital criminals had simply used users’ email addresses and passwords exposed in previous data breaches.

According to the enterprise security company, the passwords presented in this most recent assault appeared to be the same as the email account. This suggests the attackers didn’t have access to users’ passwords, not even those which bad actors had breached in previous security incidents.

Even so, the emails in this scam campaign stood out for their inclusion of a URL that resolved to jdhftu[.]tk. Proofpoint’s staff explained where the link directed users in a blog post:

The URL purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device. However, it actually leads to AZORult stealer malware, which, in turn, installs GandCrab ransomware, version 5.0.4 with affiliate ID “168;777”.

If a recipient clicked on the link and inadvertently installed GandCrab, the ransomware proceeded to encrypt their files and demand $500 in Bitcoin for its ransom payment.

Payment portal for GandCrab. (Source: Proofpoint)

Fortunately, victims can now recover their files from most versions of GandCrab for free with the help of decryptor released by BitDefender back in October.

This most recent sextortion scam campaign highlights the persistence of ransomware as well as attackers’ willingness to prey upon users with social engineering and fear. In response, users should follow these steps to prevent a ransomware infection. They should also create a strong, unique password for each of their web accounts and implement 2FA or MFA wherever it’s available.