Chinese government departments targeted with GandCrab v5.2 ransomware

• The malware comes concealed as an archive named ‘03-11-19.rar’.
• The phishing attack has started since March 11, 2019.

A new phishing campaign that leverages GandCrab v5.2 ransomware to infect the Chinese government officials has been discovered recently. The malware comes concealed as an archive named ‘03-11-19.rar’.

How does it work – According to China’s Internet Network Information Center, the phishing attack has started since March 11, 2019. The hackers are targeting the websites of relevant government departments in China with emails containing ransomware. The emails are sent by different senders such as ‘Min, Gap Ryong’. Going by the sender’s name, it is believed that the operators are from North Korea.

“According to the monitoring of the China Internet Network Information Center, starting from March 11, 2019, a hacker organization outside the country launched a ransomware mail attack on relevant government departments in China. After analysis and analysis, the ransomware version number is GANDCRABV5.2, which is the latest upgraded ransomware version in February 2019,” said the report.

What does the ransomware do – Once installed, GandCrab v5.2 encrypts the hard disk data of the user host and redirects the users to download the Tor browser. The Tor browser later logs into the attacker’s digital currency payment window and asks the victim to pay the ransom.

What steps are taken – Following the discovery, all units of the Chinese government have been asked to monitor their systems and report any future attacks. Other crucial measures have also been recommended to mitigate the attack. This includes –

• Keeping the antivirus up-to-date;
• Disabling automatic functions for USB ports;
• Disconnecting infected hosts or servers;
• Upgrading the operating systems to latest versions.

GandCrab v5.2 is the latest version of the ransomware family. No decryption keys are currently available for this version of the GandCrab.