GandCrab version 3 was released earlier this week with a few noticeable changes. The most noticeable change is the addition of a desktop background and an autorun that causes the ransomware to start automatically when you reboot the computer.
Necurs, the world's largest spam botnet, with millions of infected computers under its control, has updated its arsenal and is currently utilizing a new technique to infect victims.
A script compile error has temporarily stopped the infection chain of a malspam campaign trying to infect users with the GandCrab ransomware.
A new variant of Rapid Ransomware is currently being distributed using malspam that pretends to be from the Internal Revenue Service. First detected by Derek Knight, this campaign is a mixup of countries with the IRS being a U.S. entity, the send being a UK email address, and the spam attachment being in German.
A new malspam campaign is underway that is pretending to be PDF receipts, but instead installs the GandCrab ransomware on a victim's computer. This is done through a series of malicious documents that ultimately install the ransomware via a PowerShell script.
A new malspam campaign is underway that is distributing a GlobeImposter variant that appends the ..doc extension to encrypted files. This malspam is pretending to photos being sent to the recipient and will have a subject line that starts in a similar way to "Emailing: IMG_20171221_".
The "Blank Slate" malspam campaign has switched to distributing a GlobeImposter variant that appends the .crypt extension to encrypted files. This downloaded executable is also code signed to make it appear more legitimate.