VenusLocker is back with a fresh GandCrab ransomware campaign

by Tomas Statkus - -

The VenusLocker hacking group is back with a new GandCrab[1] ransomware campaign. This time the attackers utilizes the EGG niche file type.

VenusLocker distributes GandCrab ransomware via .egg

Security researchers at security vendor Trend Micro[2] observed the offensive campaign earlier in August 2018. Recently, they have announced that the malicious EGG attachments are used to distribute the GandCrab v4.3 ransomware. The VenusLocker team seems to be targeting only South Korean users.

According to Trend Micro, the attachments apply e-commerce violation lures. The majority of the malicious emails include a common subject line that read like this: [Fair Trade Commission] Notice of Investigation of Violation of E-Commerce Transaction.

The EGG or .egg file format

The EGG or .egg file format[3] is a compressed archive file format which can look exotic to us as it is rarely used. EGG supports Unicode and intelligent compression algorithms and it is widely used in South Korea.

According to the independent security researcher Graham Cluley,[4]

Many South Korean users might find it odd if an archived file was sent to them by a friend or colleague in an archive file format other than .EGG.

The file format was developed by ESTsoft back in 1999 and can only be opened via ALZip tool.

The GandCrab ransomware campaign. Trend Micro Analysis

Researchers at Trend Micro have analyzed the ransomware campaign and noted it specifically targets users based in South Korea. Once the targeted user unarchives the malicious .egg file and clicks on the .lnk files the malware is activated. Then, it encrypts all the files on the compromised PC and .krab file extension appends.

If the victim does not have access to secure backup and wants to recover files, there is no other choice than visiting the ransomware’s payment website and pay the demand.

In our analysis of the samples, the attached EGG (TROJ_GANDCRAB.TICABAK) contains three files: two shortcut .lnk files (LNK_GANDCRAB.E) that are disguised to appear as documents, and an .exe file that will disappear once the user decompresses the EGG file. Within the .lnk files, VenusLocker_korean.exe is inscribed, which could mean that the VenusLocker group was behind the distribution of spam emails.

It is worth to mention that GandCrab is the second-highest detected ransomware family from March to July.

Even though the EGG file format is only popular in South Korea and users in other countries are not likely to have access to an ALZip tool, which can unarchive the file and unlock the malware, users across the globe have to be careful while opening files from unknown senders.

The similar ransomware can be easily delivered via ZIP or other file format and used to attack home and business users. So, all users should not forget to be vigilant and think twice before opening unknown files.

About the author

Tomas Statkus
Tomas Statkus - Team leader

Tomas Statkus is an IT specialist, the team leader, and the founder of He has worked in the IT area for over 10 years.

Contact Tomas Statkus
About the company Esolutions


now online
Like us on Facebook