Threat Management, Malware, Ransomware, Threat Management

Sextortion scandals add GandCrab ransomware to the attack

In the latest rendition of a sextortion plot that has been using public breach data to trick victims into thinking they were hacked, cybercriminals have added the inevitable ransomware update to the scam.

The malware attacks usually consist of a statement that the recipients devices has been compromised with a spyware or a key logger, the threat actors will often include a password associated with an account or the name of a spouse or relative to make it appear more believable.

The scam also includes accusations of impropriety online or of inappropriate files stored on the device and then demands a bitcoin payment.

“This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity,” researchers said in the post.

“The supposed password for the potential victim’s email address in this case appears to be the same as the email account. Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.”

Proofpoint researchers have observed campaign involving thousands of emails which include a note   claiming someone has been monitoring the victim for about a month, and rather than freeze their device when they supposedly gained initial access, they claimed to take screenshots of the victims browsing habits.

In addition they threaten to have compiled a video of recordings of the victims watching questionable content and an offer to get rid of the proof for $381.

If the potential victim does click and follow through to see the proof, they are actually installing ransomware linked in the email, and are redirected to an AZORult stealer that ultimately led to a GandCrab ransomware infection demanding a payment of $500 in Bitcoin or DASH.

Researchers recommend that victims of these attacks assume the sender does not actually possess screenshots or video of any compromising activity and not click any links or open attachments to verify the sender’s claim.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.