Sextortion scams have proven popular with hackers in 2019. A well-composed email and an email list are all that is necessary. The latter can easily be bought for next to nothing via darknet marketplaces and hacking forums. Next to no technical skill is required to run sextortion scams and as hackers’ Bitcoin wallets show, they are effective.

Many sextortion scams use the tried and tested method of threatening to expose a user’s online activities (pornography habits, dating/adultery site usage) to all their contacts and friends/family unless a payment is completed. Some of the recent sextortion scams have added credibility by stating that they had users’ passwords. However, new sextortion scams have been detected in the past few days that are using a different tactic to get users to pay up.

The email template used in this scam is like other recent sextortion scams. The hackers claim to have a video of the victim viewing adult content. The footage was recorded through the victim’s webcam and has been spliced with screenshots of the content that was being looked at.

In the new campaign the email includes the user’s email account in the body of the email, a password (Most likely an old password impacted in a previous breach), and a hyperlink that the victim is encouraged to click to download the video that has been created and see exactly what will soon be shared via email and social media networks.

Visiting the link in the video will trigger the installation of a zip file. The compressed file contains a document including the text of the email along with the supposed video file. That video file is actually an information gatherer – The Azorult Trojan.

This form of the scam is even more likely to be successful than past campaigns. Many individuals who receive a sextortion scam email will see it for what it really is: A mass email including an empty threat. However, the inclusion of a link to download a video is likely to see many people download the file to find out if the threat is real.

If the zip file is opened and the Azorult Trojan executed, it will silently gather information from the user’s computer – Similar information to what the attacker claims to have already obtained: Cookies from websites the user has seen, chat histories, files stored on the computer, and login information entered through browsers such as email account and bank details.

However, it doesn’t finish here. The Azorult Trojan will also install a secondary payload: GandCrab ransomware. Once information has been gathered, the user will have their personal files encrypted: Documents, spreadsheets, digital images, databases, music, videos, and more. Recovery will depend on those files having been backed up and not being encrypted by the ransomware. Aside from permanent file loss, the only other alternative will be to pay a high ransom for the key to decrypt the files.

If the email was sent to a business email account, or a personal email account that was being logged onto at work, files on the victim’s work computer will be encrypted. Since a record of the original email will have been extracted on the device, the reason why the malware was downloaded will be made clear to the IT department.

The key to not being tricked is to ignore any threats sent via email and never click links in the emails nor click on email attachments.

Companies can plan for the threat by using cybersecurity solutions such as spam filters and web filters. The former stop the emails from being sent while the latter blocks access to sites that host malware.