Spoofed CDC Warning of Flu Pandemic Distributes Ransomware

MyOnlineSecurity discovered a new phishing campaign distributing ransomware identified as GandCrab v5.2. The threat actor has recently been observed using fear tactics and a sense of urgency to entice the target to open the attached “important” information. These phishing emails are sent with a subject line of “Flu pandemic warning,” and are impersonating a Centers for Disease Control and Prevention (CDC) employee. The attachment requests the victim to both enable content and editing to view the document’s contents. If the document is enabled, a malicious Macro will then be executed that downloads the GandCrab v5.2 installer into the C:\Windows\Temp folder, self-executing immediately. All files on the infected computer will be encrypted and a ransom note named [various extension] -MANUAL.txt will be dropped. For example, if the ransomware used the ABCDE extension, the ransom note would be named ABCDE-MANUAL.txt. Free decryption tools are currently unavailable for this version. MyOnlineSecurity also recently identified fake DHL shipping notices containing the same version of GandCrab. The NJCCIC highly recommends users refrain from opening attachments from unsolicited or suspicious emails. Users who receive unexpected or unsolicited requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. More details including IOCs can be found on MyOnlineSecurity’s blog post. We encourage users to review a list of ransomware strategies on our website here. If you are targeted by ransomware, please report the incident to your local police department and to the NJCCIC via the Cyber Incident Report Form on our website.