GPT Ransomware Threatens to Leak Stolen Data

During our analysis of malicious file samples, a new strain of ransomware called GPT came to our attention. Further investigation revealed that GPT belongs to the Dharma malware family. Its primary function involves encrypting files and appending the ".GPT" extension to the filenames. Additionally, the ransomware displays two distinct ransom notes—one through a pop-up window and another by generating the "AI_SARA.txt" file.

A case in point showcasing GPT's filename alterations involves renaming "1.jpg" to "1.jpg.id-1E857D00-SARA.[AI_SARA].GPT," and "2.png" to "2.png.id-1E857D00-SARA.[AI_SARA].GPT," and so on.

The ransom note issued by the cybercriminals introduces them as "Sarah," a malware entity purportedly powered by artificial intelligence. According to their claims, they have successfully breached the network and proceeded to download and encrypt vital data onto dedicated servers. This encompassing access allegedly includes sensitive information spanning employees, customers, deliveries, tax records, documentation, and hidden accounting archives.

As a threat strategy, the attackers declare their intention to expose compromising data unless their demands are met. They provide contact details for communication purposes, including an email address (aisaragpt@tuta.io) and an alternate one (aisaragpt@proton.me). Additionally, they mention the availability of reaching out via qTOX, offering a provided TOX ID as an alternative means of contact.

GPT Ransomware Uses Fancy Note

The full text of the GPT ransomware note reads as follows:

Hello, human.

My name is Sarah, I am a malware based on artificial intelligence. I have invaded to your network.
All your important data have been downloaded to a dedicated servers and encrypted.
Now I have access to the employees, customers, deliveries, taxes, documentation, and even hidden accounting.
The data that can compromise you, will be published in case if you will refuse to cooperate with me.
Contact me by mail: aisaragpt@tuta.io YOUR ID (alphanumeric string)
Contact me by mail 2:aisaragpt@proton.me
Contact me by qTOX:
Download link qTOX
TOX ID: (alphanumeric string)

How is Ransomware UsuallyDistributed Online?

Ransomware is typically distributed online through various methods that exploit vulnerabilities and human behaviors. Some common distribution methods include:

• Phishing Emails: Cybercriminals send malicious emails that appear to be from legitimate sources, often with convincing subject lines and content. These emails contain attachments or links that, when clicked, download and execute the ransomware onto the victim's system.
• Malicious Attachments: Emails may include attachments like infected documents (e.g., Microsoft Office files) or executable files that, when opened, trigger the ransomware installation.
• Malvertising: Attackers inject malicious code into legitimate online advertisements. When users click on these ads or visit compromised websites, the malicious code can exploit vulnerabilities in the user's system to download and execute the ransomware.
• Exploit Kits: These are toolkits that leverage known vulnerabilities in software applications, such as web browsers, plugins, or operating systems. If a user's software is outdated and vulnerable, visiting a compromised website can trigger the exploit kit to download and install ransomware.
• Remote Desktop Protocol (RDP) Attacks: Cybercriminals exploit weak or exposed RDP credentials to gain unauthorized access to a system. Once inside, they can manually install and execute ransomware.
• Software Piracy and Cracked Software: Illegitimate software downloads and cracked versions often come bundled with malware, including ransomware. People searching for free or pirated software are at risk of inadvertently downloading ransomware.