Il ransomware GrandCrab rende più efficace la sextorsion del video della webcam

Alle solite email di ricatto con minaccia di divulgazione filmati hot girati con la webcam della vittima  si aggiungono link a ransomware, dai quali il malcapitato viene persuaso di poter accedere ai suoi video “hot”. Oltre alla richiesta di pagamento del riscatto in bitcoin, la vittima viene invitata ad aprire il link: a quel punto s’infetta con il ransomware GrandCrab e gli viene chiesto di pagare per decifrare i propri dati.

Proofpoint ha rilevato una nuova ondata di sextortion dove alla vittima oltre che richiedere pagamento in bitcoin viene chiesto di aprire e visionare un link, contenente appunto il presunto video “hot” girato tramite la webcam del PC, per la cui rimozione nelle altre mail di sextorsion circolate in questi mesi viene richiesto il pagamento di un riscatto in bitcoin da 300 a 7000 dollari.

Il messaggio utilizzato questa volta dai delinquenti per convincere la vittima a cliccare sul link e scaricare quello che sembra essere un video hot – mentre in realtà è un link al ransomware GrandCrab – è il seguente:

As proof of my words, I made a video presentation in Power Point.
And laid out in a private cloud, look You can copy the link below and paste it into the browser:
https[:]//google.com/url?q=_______”

Aprendo il link e avviando ciò che viene scaricato, invece del filmato ci si trova il ransomware GrandCrab che, in pochi minuti, se non bloccato da opportune contromisure, comincia a criptare i dati del PC chiedendo un riscatto di 500 dollari in Bitcoin.

Proofpoint riporta i seguenti IOC, indicatori di compromissione:

• URL in email: hzzp://jdhftu[.]tk/&4448<anonymized>
• Foto_Client89661_01.zip (Compressed AZORult): a7ba2c9def86e54086f0624a73597865a90cb93aa72dec7fdf264f655cf1bb56
• Foto_Client89661_01.scr (AZORult): 29b42b0ecd874bcad5a5d9d03ed8f8dee320892305312b4898a0b64f9fbde93a
• AZORult C&C: hxxp://egorgerov3[.]temp[.]swtest[.]ru/index.php
• AZORult payload (GandCrab): hxxp://supermainers[.]online/exp.exe
• GandCrab: ef07905923461ce13a3ca18ef6eb1833a8c8d327d47e9cc8641a2ca3d5ce97f3
• GandCrab Payment portal: gandcrabmfe6mnef[.]onion

Questo è il testo integrale della mail riportata da ProofPoint, con la richiesta di riscatto e l’invito ad aprire il link contenente il ransomware GrandCrab:

Oggetto: Attention! To your email – ____@______ – 09/08/2018 -was accessed by me!

Hello!

I have very bad news for you.
09/08/2018 – on this day, I got access to your OS and gained complete control over your system.
On this day your account____@______ has password: _______

So, you can change the password, yes.. But my malware intercepts it every time.

How I made it:
In the software of the router, through which you went online, was a vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!
I’m talk you about sites for adults.

I want to say – you are a BIG pervert. Your fantasy is shifted far away from the normal course!

And I got an idea….
I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your device) and glued them together.
Turned out amazing! You are so spectacular!

As proof of my words, I made a video presentation in Power Point.
And laid out in a private cloud, look You can copy the link below and paste it into the browser:
https[:]//google.com/url?q=_______

I’m know that you would not like to show these screenshots to your friends, relatives or colleagues.
I think $381 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!