Over the past few days, FortiGuard Labs has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware. This article provides a basic overview of this malicious campaign, and points out details that can help users identify it.
The image below is a screenshot from our KTIS (Kadena Threat Intelligence System) that shows the overview of a single spam campaign that led to a GandCrab v2.1 sample being delivered as a payload.
The graph also shows that at the time of this writing, three unique (different) hashes of Gandcrab v2.1 had already been hosted from the URL. This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply in an attempt to evade specific file signatures. Not limiting itself to Gandcrab, the entity behind this IP address is also hosting other malware, such as Phorpiex, which is a worm that allows backdoor access and control, and IRCbot which is a Trojan that can provide attackers with remote access to infected system, as well as a coin miner.
· Document #<NUMBERS>
· Invoice #<NUMBERS>
· Order #<NUMBERS>
· Payment #<NUMBERS>
· Payment Invoice #<NUMBERS>
· Ticket #<NUMBERS>
· Your Document #<NUMBERS>
· Your Order #<NUMBERS>
· Your Ticket #<NUMBERS>
The graph below details the spam distribution in terms of the email recipient domains gathered from the collected spam emails over the past week. As can be seen, mail servers hosted in the US are currently the primary recipients of this campaign.
On the other hand, the next graph below shows a more general perspective of GandCrab’s actual infection during the past month. Based on timing alone (04/14-04/17), it can be observed that infection had already gone up at the time of this campaign’s discovery.
With regards to actual successful GandCrab infections, India is in the top spot, as shown in the following graph.
The ransom note contains a link to an onion site that the user has to visit using a TOR browser – which is a browser designed for anonymous internet browsing and downloading – in order to purchase a file decryptor. The page displays the usual ransomware information, such as further instructions and the initial ransom amount, which will be doubled after a certain time. However, we discourage users from paying the ransom as this does not guarantee any actions from the threat actors.
GandCrab ransomware, or any type of ransomware for that matter, can cause irreversible damage to an infected system. The best defense against these kinds of attacks is good cyber hygiene and safe practices. In this case, remember that it is always important to be cautious about unsolicited emails, especially those with executable attachments. In addition, if all else fails, make sure you always have a backup stored in an isolated network environment in order to successfully recover a compromised system.
As always, FortiGuard Labs will continue monitoring GandCrab’s activity, as well as other malware being distributed by these spam campaigns.
-= FortiGuard Lion Team =-
Fortinet users are protected by the following solutions:
· Emails are blocked by our FortiGuard AntiSpam Service
· Files in the attack chain are detected by FortiGuard Antivirus
· Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service.
· FortiSandbox rates any execution point in the attack chain as “High Risk”
FortiMail and the Security Fabric
FortiMail is a central component of the Fortinet Security Fabric and a key protection point against new, previously unseen threats using email as the attack vector. FortiMail has multiple layers of threat preventions and integrations which enable the interception and neutralization of this and other such email-bourne threats:
When integrated with FortiSandbox in the security fabric, FortiMail queues emails whilst the threats are opened and executed in a sandboxed virtual machine. FortiSandbox was able to detect this threat based on the behavior of the JS file and subsequent callouts to malicious URLs and C2s, rating the content a ‘high risk’, allowing FortiMail to neutralize the threat from the first occurrence.
FortiMail utilizes the FortiGuard Spam and Virus Outbreak Service which uses cloud based machine learning to identify and block new threat outbreaks. This blocked the various form of this threat within seconds of the service detecting the start of each campaign.
A range of content based methods are available to neutralize such threats including:
A key feature of the security fabric is the sharing of threat intelligence across the participants. Once a threat is identified, malware and malicious URL packages are shared between fabric members including FortiSandbox, FortiMail, FortiGate and FortiClient, so that should the threat attempt to utilize other vectors for exploitation, it will be detected instantly.
<list reduced for brevity>
9898b8e0a8b1a6ba96b07bc01ecef716cf9c5280f5190467e5da449854e64b22 - BAT/Agent.ALP!tr
d3120d04ed68b46249f9d27d0174840dc99b75eae338b46ed3d64fc7e386f1c - BAT/Agent.ALP!tr
bf7e29484aebfa7be8877639ea16383d5c4025cbf359d5c2566c98f5e1fccea1 - BAT/Agent.ALP!tr
<list reduced for brevity>
846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f - W32/Kryptik.GFTZ!tr
a3e2a45504a3bcf9f96acabb601410e2250165c3d19f2580c50a15bf910f3d9f - W32/Kryptik.GFTT!tr
339d22b5e02c79cdaa355bb11b063645332d0a2fd43ae78af6577818c4078284 - W32/Kryptik.GFRY!tr