A new member of the Dharma ransomware family was spotted wreaking havoc. Dubbed Gtsc, the new threat is programmed to encrypt user-generated data and extort a hefty ransom from its victims. Despite its unusual name, Gtsc ransomware is a classic file-encryptor. It sneaks into its targets' computers and launches a scan that detects the user-generated data.
It is easy for the victims to notice that their data is corrupted as Gtsc renames the encrypted files. The ransomware keeps the original file name and extension but adds the victims' ID, as well as the criminals' email address to the file name. It will also append the ".gtsc" extension at the end of the names. For example, an archive called "pictures.rar" will be renamed to "pictures.rar.id-67gYT6sa.[email@example.com].gtsc."
Gtsc ransomware creates a ransom note named "FILES ENCRYPTED.txt" as well as opens a pop-up window that decryption is available for a price.
Ransom Note Text:
“YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email firstname.lastname@example.org YOUR ID -
If you have not been answered via the link within 12 hours, write to us by e-mail:email@example.com
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.”
Gtsc's ransom note doesn't specify the ransom amount. Instead, victims are instructed to contact the criminals via email. Their messages should be addressed to either the firstname.lastname@example.org or email@example.com email addresses and must contain the victim's id, which is specified in the ransom note.
Victims are promised to receive a reply within 12 hours. Additionally, they are warned not to use third-party decryption tools as there are scammers who offer non-working decryption software.
Currently, there is no third-party decryptor for Gtsc ransomware. As this threat is based on the well-known and analyzed ransomware Dharma, researchers are likely to develop decryption software soon.
Therefore, victims are advised to refrain from paying the ransom. By paying, the victims not only risk losing money but also encourage the threat actors to continue their illegal business.
Victims can restore their data with file backups saved on external or cloud storage. Of course, the ransomware must be removed before data recovery is attempted. Otherwise, Gtsc will re-encrypt the newly-restored files.
How Gtsc infects its victims
Gtsc ransomware uses classic distribution techniques, such as pirated software, malicious emails, corrupted links, and fake updates. Trojans could also drop Gtsc ransomware as second stage malware.
Malspam – Malicious emails are a well-known cause of cyber infections. Despite everybody being aware of the potential risk, malicious messages are still very effective when it comes to malware distribution.
Criminals use a technique called "spoofing" that makes it look as if the message came from legitimate sources. The scammers usually impersonate well-known businesses and institutions, such as shipping companies and government organizations, to lure their victims into downloading malicious attachments. Therefore, users are advised to treat all unexpected emails as potentially malicious.
Trojans – the trojan horse is a versatile malware that can be used to download and install malware. There are also remote access trojans (RATs) that allow their operators to execute any commands on the host device.
Pirated software – Hackers are aware that users don't want to or cannot afford to pay for expensive software. They exploit this trend by uploading cracked app installers that are infected with malware. If a user falls into the trap, all sorts of threats could flood their device, ransomware included.