Sextortion with a side of ransomware

Overview

So-called “sextortion” scams, in which threat actors send blackmail emails claiming to have compromising information about the recipient and threaten to expose a range of observed illicit activities, are becoming increasingly common. In general, these emails simply demand payment to avoid publication of the purported evidence of compromising information. However, this week Proofpoint researchers observed a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware.

Common sextortion techniques

Proofpoint researchers have been observing pervasive sextortion campaigns for many months now, most without links or attachments. They generally include:

1. A statement that the recipient’s computer has been compromised with some type of spyware or a keylogger
2. To make the email more believable often a method such as the following is used:
   1. A password associated with the email account, sometimes obtained via previous data breaches is included
   2. Information that can be obtained from open sources is included such as spouse, employer, or occupation
3. Accusations of impropriety online or of inappropriate files stored on the device
4. A demand for a payment to a Bitcoin wallet to avoid having evidence of the purported impropriety exposed on the Internet or sent to the recipient’s contacts

Sextortion campaign with ransomware - December 5, 2018

On December 5, we observed a new sextortion campaign involving thousands of messages sent to a variety of targets primarily in the United States. A sample email shown in Figure 1 follows the basic formula for these types of attacks but also includes a URL that resolves to jdhftu[.]tk. The URL purportedly takes recipients to a presentation showing them video of the compromising activities captured on their device. However, it actually leads to AZORult stealer malware, which, in turn, installs GandCrab ransomware, version 5.0.4 with affiliate ID "168;777".

Figure 1: Sextortion email from December 5, 2018, with a URL linking to AZORult stealer

This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity.

The supposed password for the potential victim’s email address in this case appears to be the same as the email account. Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.

If the potential victim does click and follow through with installing ransomware linked in the email, GandCrab ransomware is installed. GandCrab in this case demands a payment of $500 in Bitcoin or DASH.

Figure 2: Payment portal for GandCrab

Conclusion

Sextortion preys on the fears and insecurities of recipients, using stolen passwords and other social engineering tricks to convince recipients that their reputations are actually at risk. Adding a URL linking to ransomware that purports to be a presentation showing the recipients illicit activities is a new technique, increasing the risk associated with this type of attack. Individuals receiving sextortion emails should 1) assume the sender does not actually possess screenshots or video of any compromising activity and 2) should not click any links or open attachments to verify the sender’s claims.

Indicators of Compromise (IOCs)

ET and ETPRO Suricata/Snort Signatures

2025638 || ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activit