Gandcrab 5.2 spread via false CDC emails that warn about a Flu pandemic

Crooks spread Gancrab 5.2 ransomware via suspicious email messages that pretend to be from the Centers for Disease and Control Prevention

Crooks are using fake emails from CDC to distribute a well-known version of Gandcrab ransomware

There has been a new malware campaign spreading through email messages that distribute a well-known variant of the infamous ransomware – Gandcrab v5.2.^[1] The malicious activity was first spotted about a week ago and announced by a cybersecurity company MyOnlineSecurity.^[2]

Cybercrooks have been using false CDC emails that provide users with information about a new Flu pandemic that has been spreading lately. Criminals imitate to be from the Centers for Disease Control and Prevention^[3] in order to make the scam believable.

The false message comes with the address line “Centers for Disease Control and Prevention” and another line for the subject that claims “Flu pandemic warning.” People are urged to open the document which is attached to the message. According to the sender, this will prevent the Flu from spreading further. However, those who have a good eye for detail will notice that the email message is actually coming not from CDC but Peter@eatpraynope.com.^[4]

Once the ransomware is downloaded it appears in the C:\\Windows\\Temp folder section

The fake email message contains the following text:

Please focus on this special announcement!

Presently, influenza activity is severely elevated. US Center for Disease Control and Prevention (CDC) estimates that during a last four months, the situation has deteriorated essentially: near 20 thousand diseased people were killed by the flu already, and more than 220,000 were urgently hospitalized.

Directions DOC

To stop spread of the disease and keep people from the flu, US Center for Disease Control and Prevention developed a directions list.You could find DOC file with this list attached to the e-mail. It is recommended to read it attentively and follow the directions to prevent the disease. With care of your health, CDC Communication Department.

Not interested anymore? Unsubscribe

Additionally, users launch Gandcrab v5.2 by accessing the malicious “Flu pandemic warning.doc” and editing it in the viewing mode.^[5] The ransomware is then downloaded from hxxp://205.185.125.109/samanta.exe, and its malicious payload is transferred to C:\\Windows\\Temp folder on Windows machine.

After that, the file-encrypting virus will launch its unique encryption algorithm and start locking files by adding a random extension to each document. For example, encrypted data might appear to be picture.jpg.UGHTRR or picture.jpg.YRSTN, etc. Continuously, a ransom message is displayed which also includes the files' extension in its name: UGHTRR-MANUAL.txt.

Always investigate your received emails to ensure that no ransomware is hidden inside

If you are a victim of this malware campaign and Gancrab v5.2 has encrypted all of your files, we suggest you firstly not panic and look for options what to do next. Crooks often ask for a particular amount of money to be transferred to the criminals given Bitcoin account if the user wants to receive a decryption tool for locked files.

Some hackers send payment details straightly in the ransom message, while others urge downloading the Tor browser and viewing all payment details there. However, experts do not recommend paying the ransom, as crooks often scam victims and never send the decryptor back, which consequently results in money loss.

Better try using data recovery software that is recommended by security experts. Additionally, take all security measures possible to prevent similar ransomware attacks in the future. The most important thing you need to do is always carefully check emails and the attachments that you receive.

Be aware that GandCrab authors engage in multiple malspam campaigns (unsurprisingly, as the malware is being distributed via the RaaS scheme), and Centers for Disease Control might be not the only one hackers try to portray in order to make users open the malicious attachment. For example, crooks previously encouraged office workers opening the alleged evacuation map, while “Love You” campaign focused on Japanese victims.