GandCrab 2.1 Ransomware on the Rise

Fortinet has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware. Multiple emails include a Javascript attachment hidden inside archives with the filename format DOC<NUMBERS>.zip., which when executed, downloads a Gandcrab v2.1 variant from the malicious URL.

GrandCrab-infectionsMail servers hosted in the US are currently the primary recipients of this campaign. However, with regards to actual successful GandCrab infections, India is in the top spot, as shown in the graph.

The ransom note contains a link to an onion site that the user has to visit using a TOR browser – which is a browser designed for anonymous internet browsing and downloading – in order to purchase a file decryptor.

The best defense against these kinds of attacks is good cyber hygiene and safe practices. In this case, remember that it is always important to be cautious about unsolicited emails, especially those with executable attachments.

In addition, if all else fails, make sure you always have a backup stored in an isolated network environment in order to successfully recover a compromised system. Fortinet users are protected by the following solutions:

  • Emails are blocked by our FortiGuard AntiSpam Service
  • Files in the attack chain are detected by FortiGuard Antivirus
  • Malicious download URLs and C2s are blocked by the FortiGuard Web Filtering Service
  • FortiSandbox rates any execution point in the attack chain as “High Risk”

intlx Solutions is a Fortinet partner.

fortinet-logo-1