A new ransomware strain called GandCrab has recently started infecting people by pretending to be a love letter sent via email. After infecting victims, it instructs them to pay with either bitcoin or dash.

According to a report published by the Mimecast Threat Labs Team, the GandCrab ransomware strain encrypts victims’ files after sending them messages that try to trick them into believing they’ll be reading a love letter, or some other love declaration.

Victims are approached by an email with a subject in along the lines of “Wrote my thoughts down about you,” or “Felt in love with you.” Inside the email there’s merely an asterisk and an attached file titled “Love_You_2018_” followed by random numbers.

Those who end up opening the attachment are then asked whether they’d like to see in English, Korean, or Chinese – which indicates these are the ransomware’s targets. If they go on, their files are encrypted and a cryptocurrency ransom is demanded.

How is #ValentineDay being exploited by threat actors like #GandCrab and what can you do to protect your team? Advice from Threat Labs & @JCDSecurity: https://t.co/DhNBHJ7Fnm pic.twitter.com/iOlX3XDLl1 — Mimecast (@Mimecast) February 14, 2019

After being asked for a ransom in either BTC or Dash, the victims are then told that if they don’t pay within seven days, the ransom is going to double. The attack appears to be somewhat advanced, as it even features a live chat window to help those who don’t know how to use cryptocurrencies.

Notably, the ransomware appears to deliberately avoid targeting Russian users, and it stops the attack if it detects the victim has a Russian-configured keyboard. Per Mimecast, this “signals these campaigns are specifically designed to not target Russian users.”

GandCrab is notably classified as Ransomware-as—a-Service (RaaS), meaning hackers and bad actors purchase the service from vendors – presumably on the dark net – to then target victims with it.

The ransomware is notably taking advantage of the holidays to try and trick users through false promotions, gifts, and campaigns. Mimecast also found fake customer surveys, malicious data apps, and non-malicious compromised dating apps spreading GandCrab.

As CryptoGlobe covered, researchers have recently warned that “Anatova,” a ransomware strain demanding Dash from its victims, could “become very dangerous.” Ransomware strains demand Dash instead of BTC or XMR have been growing in popularity. GandCrab was, however, the first one to do so.