A sextortion scam that doubles its chances of success by planting ransomware on the computing device of its target victims has emerged, and as is often the case the attackers want to be paid in bitcoin.

According to researchers at cybersecurity firm Proofpoint, the sextortion campaign, which is mostly targeting residents of the United States, is including links in the blackmail email pointing to a ransomware installer.

As with other similar sextortion campaigns, the scam claims to have compromising information that has been gathered over months and compiled in a video. But when the victim clicks on the links to the video to verify that indeed they were secretly recorded, they end up inadvertently installing ransomware known as GandCrab.

Once the ransomware is successfully installed, a payment of US$500 is demanded from the victim, and it has to be paid in cryptocurrency, specifically bitcoin or dash. Interestingly, GandCrab, which was discovered in January this year, is the first known ransomware to demand payment in dash.

Striking at a Moment of Vulnerability

For the first time this week, we observed a sextortion campaign that also includes a link to #ransomware with #SocialEngineering designed to extort money from recipients. https://t.co/Fol821L2wU pic.twitter.com/PGo9FZfu2p — Proofpoint (@proofpoint) December 7, 2018

According to Proofpoint researchers, the cyber criminals are preying on fears and hoping that their target victims, having panicked, will not think twice about clicking on links — however suspicious they may appear.

“This particular attack combines multiple layers of social engineering as vulnerable, frightened recipients are tricked into clicking the link to determine whether the sender actually has evidence of illicit activity,” the cybersecurity researchers wrote in a blog post.

From a sample seen by the Proofpoint researchers, the cyber criminals are employing this technique to increase their chances of making money if the sextortion attempt fails. The sample blackmail email, for instance, requests US$381 to be paid if the victim does not want the compromising information that has supposedly been collected from them sent to their family and friends. It is only when the victims seek to see the video evidence that the ransomware is installed and their computing device locked, with victims once again asked to send a bitcoin or dash payment to unlock it.

Putting on an Act

Though the ransomware creators claim to have the necessary login credentials of their victims, this is not the case. In one of the sample emails, the ransomware creators allege that they have a password of the target, though the cybersecurity researchers have determined that not to be the case:

“The supposed password for the potential victim’s email address in this case appears to be the same as the email account. Therefore, in this case it may simply be a bluff and the attacker does not actually possess the victim’s password.”

It is estimated that in the first two months after GandCrab was first discovered, it made its creators approximately US$600,000 from more than 50,000 victims mostly in the United Kingdom, the United States, and Scandinavia.

Featured Image from Shutterstock