GandCrab Ransomware Spreading Through Spam Campaigns: Security Alert

Do not have time to read full article and want this article in PDF format in your email.

Enter your Email Address

You may be familiar with GandCrab ransomware that seems to widely spread via various spam campaigns or social engineering techniques to infect and harvest users’ most important data.This fast-growing malware has infected more than 50,000 victims and targeting mostly the ones from Scandinavia and UK speaking countries, according to a report CheckPoint.

Security researchers recently analyzed a new spam campaign in which malicious actors try to lure victims into clicking a malicious link that will open a binary file and infect users’ system with the GandCrab ransomware.

This phishing campaign has been delivered with the following content (sanitized for your own protection).

Here’s how this email looks like:

From: [Spoof / Forwarded Sender Address]

Subject Line:
Job: Banking Opportunities, Greymouth

Dear Hiring Manager
Please review my [link: http: // abuellail [.] Com / resume. php] resume
Charlotte Anderson
Email: charlotte.anderson @ abuellail [.] com

If a user clicks on the link received on the email, then he will be redirected to one of the following and compromised web pages (sanitized for your online safety):

test.ritsdb [.] com
ubsms [.] com
test.technostark [.] com

How the infection happens

Basically, the malware is spread via an executable binary file (resume.exe) which is returned after GandCrab is running on the local machine as a file called “bhxsew.exe”.

During the process, the ransomware will try to collect and determine the external IP addresses of the victims via legitimate services such as:

Http: // ipv4bot.whatismyipaddress. com
Http: / /bot.whatismyipaddress. Com

The main component of GandCrab is “dropped” as a “bhxsew.exe” file in the directory. As part of the local data encryption, this malicious file is configured to communicate with the following domains:

zone alarm [.] bit
ransomware [.] bit

GandCrab ransomware is not spread only via spam emails but also seen distributed via an exploit kit campaign called MagnitudeEK which abuses software vulnerabilities found in Windows, Adobe Flash Player, and Silverlight.

As regards to the MagnitudeEK spam campaign, security researchers have seen a flood of subdomains being used via this site:

lieslow [.] faith

Malwarebytes Labs recently found that Magnitude EK, “which had been loyal to its own Magniber ransomware, was now being leveraged to push out GandCrab, too.”

Here’s how the ransom note is displayed on the infected machine:

Magnitude EK GandCrab Payload Image

Magnitude has always experimented with unconventional ways to load its malware, for example via binary padding, or more recently via another technique, but still exposing it “in the clear” from traffic or network packet capture.

Magnitude EK dropping Magniber Image

Upon successful infection, files will be encrypted with the .CRAB extension while a ransom note is left with instructions on the next steps required to recover those files.

GandCrab’s ransom note Image

According to VirusTotal, 32 antivirus products out of 66 have detected this spam email campaign at the time we write this security alert.

Virustotal Scan Result Image

How to stay safe from the GandCrab ransomware

One of the best ways to keep your important data safe from ransomware is to think and act proactively.

To minimize both the risks and the impact of these online threats, we recommend both home users and companies to use and apply these security measures:

  1. Always backup your data and use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it.
  2. DO NOT open (spam) or download attachments or links from unknown sources that could infect your computer;
  3. Use strong and unique passwords and never reuse them for multiple accounts. Consider using a paid proactive antivirus software which is also up to date..
  4. Prevention is the best cure, so make sure you learn as much as possible about how to easily detect spam emails.
  5. Given the rise of new types of malware we remind you that security is not just about using a solution or another, it’s also about improving your online habits and being proactive.

If you’ve been a victim of the GandCrab ransomware, the good news is that there’s a decryption tool available you can use to recover the valuable data locked by ransomware.

If you liked this post, you might enjoy our newsletter. Receive new articles directly in your inbox:

Yes I agree to receive emails from Defenx Solution

*This article features cyber intelligence provided by CSIS Security Group researchers and also source of the images and details of this article from Malwarebytes and

Subscribe our Youtube Channel

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome to Defenx Solution

If you need any info or details please do connect with us through any medium below. We will try to get in touch with you as early as possible.

Contact Form

or reach me via these social channels

Contact Us