Sextortion scams lead to infiltration of an infamous GandCrab

Sextortion email scams are used to spread Azorult trojan horse leading to GandCrab ransomware

Sextortion scams spread ransomwareAzorult trojan distributes via sextortion scams and automatically installs GandCrab ransomware on the system.

Sextortion email scams started as a money generating tactics used to extort cryptocurrency from people by convincing them that their systems were hacked or that they were noticed watching adult-related content.[1] The newest campaign tricks recipients into installing the Azorult trojan[2] which installs a notorious GandCrab ransomware. At the moment, this is the most active ransomware virus which keeps receiving new features almost every week.[3]

The scam is mostly targeting users from the United States who have recently started reporting about emails threatening them to expose various information about their illegal or sexual-related activities.[4] The strategy continues with the alleged video file which promises to show the victim how is he or she is viewing prohibited content and demands the ransom to prevent the worst case scenario.

However, according to the report[5] from ProofPoint, the blackmail messages have started spreading infected files, .exe or .zip ones, named like After clicking on such a file, instead of downloading the promised video, the system is automatically infected with the AZORult malware which immediately initiates the installation of GandCrab ransomware:

If the potential victim does click and follow through with installing ransomware linked in the email, GandCrab ransomware is installed. GandCrab in this case demands a payment of $500 in Bitcoin or DASH.

Sextortion scams take a dark turn

Sextortion scams have been successful for a while now because of the clever tactics. Scammers have set the legitimate-looking emails filled with some private information, e.g. the video which displays how the victim is viewing adult-related content, claims that the system is infected, etc. However, this campaign mainly focuses on getting cryptocurrency payments from victims directly.[6]

The message has been successful because it states about the possibility of sharing various information with the victim's contact list. It is believed that scammers have generated a generous amount of money, no matter the message about possible illegal activity or hacked computer is false, and there is no video of you involved in pornographic content viewing. Nevertheless, researchers at ProofPoint have found that hackers have started pushing victims to download the malicious AZORult.

Details of the more dangerous sextortion scam

The report[5] from ProofPoint is stating that blackmail messages were spotted during the first week of December 2018, and provides the following information:

This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity. The supposed password for the potential victim’s email address in this case appears to be the same as the email account. Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.

Unfortunately, these tactics are very successful in making people want to confirm the video is legitimate. As a result, they unknowingly download the malicious file which ends up with at least two types of malware on the system. Once there, GandCrab ransomware encrypts data and demands a ransom, so this is extremely dangerous in comparison to the previous scams.

It is important to stay focused and question anything you get on your email box. Do not open attachments from suspicious senders and try searching the internet for similar examples before believing everything stated in the email.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions