Allegations that China is in the crosshairs of North Korean hackers have arisen after the discovery of ransomware-laden emails hitting the inboxes of government departments. The emails contain version 5.2 of the GandCrab ransomware concealed as an archive named “03-11-19.rar.”
China’s National Network and Information Security Information Center has informed the country’s provincial government that hackers are targeting the websites of government departments with emails containing ransomware. Going by a sender name in one of the emails (Min, Gap Ryong), Chinese officials reportedly speculate that the operators are of North Korean origin.
According to the statement, the attacks have been ongoing since March 11. Victims report being directed to download the Tor browser, which then logs into the attacker’s digital currency payment window. The ransom sum is not disclosed in the statement.
Chinese officials have yet to reveal the scope of the attack or assess the damage. What the notice does say, however, is that all units are required to conduct risk warnings, investigate, and report any future attacks. Other instructions are provided as well, such as: install antivirus software; disable automatic functions for USB ports; upgrade OS and install security updates; disconnect infected hosts or servers to prevent the spread of the malware.
GandCrab 5.2 is the latest version of the infamous ransomware family. No decryptors are currently available for this version of GandCrab.