This past week, users in the United States have been bombarded by an email spam campaign that pushed a double-whammy of a sextortion attempt combined with a possible ransomware infection.
ZDNet readers that aren’t aware of what a “sextortion” is, this is a term that comes from “sex” and “extortion,” and is used by IT security experts to describe a type of blackmail or ransom demand people receive via email.
The threat usually consists of a cyber-criminal telling a user he’s been hacked or infected with malware, and the crook has managed to obtain evidence of the victim performing sexual acts or having illegal sexual-related files on his computer.
Crooks threaten to expose the victim to friends, family, or authorities if a ransom demand is not paid in cryptocurrency in a given time.
Starting with May this year, there have been quite a few email spam waves pushing different versions of sextortion threats.
There have been sextortion scams where the criminals claimed they were from China, where the hackers claimed they intercepted a user’s computer cache data, where the hackers claimed to have hacked all of a victim’s online accounts, where crooks claimed they hacked the victim’s phone, or where crooks claimed to have recorded the user via his webcam while visiting adult sites.
These themes vary almost on a weekly basis, as scammers try different themes and tactics in attempts to make easy money.
And they’ve been making money hand over fist. According to a Cisco Talos report published at the end of October, one of these gangs made more than $146,000 in just 58 days.
These huge profits have spurred massive spam campaigns all year, and even the infamous Necurs spam botnet beginning to flood users with millions of these types of emails at one point last month.
But this week, sextortion scams took another very dangerous turn. Security researchers at Proofpoint have told ZDNet that they’ve seen a variation of a sextortion scam campaign that included a link at the bottom of the blackmail message [in full here].
The scammers claimed to have a video of the user pleasuring himself while visiting adult sites, and they urged the user to access the link and see for himself. But Proofpoint says that instead of a video, users received a ZIP file with a set of malicious files inside.
Users who downloaded and ran these files would be infected by the AZORult malware, which would immediately download and install the GandCrab ransomware.
Even if the user had no intention of paying the sextortion demand, curious users would still end up being held for ransom if they were careless enough to follow the link and ran the files they received.
Users who receive these types of messages are urged to ignore them. Proofpoint says this campaign has been active since December 5. More technical details and indicators of compromise about these emails and associated malware files are available in Proofpoint’s report here.