Home Malware Programs Ransomware GandCrab Ransomware

GandCrab Ransomware

Posted: January 29, 2018

The GandCrab Ransomware is a severe-level, encryption-based malware threat which has plagued users all over the world throughout 2018. Similar to other notorious Ransomware threats in circulation, GandCrab sneaks into target PCs via exploit kits, malicious Javascript and document email attachments, as well as through a Ransomware-as-a-Service (RaaS) affiliate program, ultimately encrypting the victims' files without their knowledge. The affected users face complete data loss unless they pay the required ransom amount, predominantly in the form of аn obscure virtual currency called DASH. Having first come into sight in late-January, GandCrab has since reincarnated itself in many subsequent versions, each adding a specific flavor to the infection process - different extensions for encrypted files, varying ransom amounts, and changing infection vectors. Fortunately, security specialists have more or less succeeded in coming up with a decryption key shortly after (almost) every newly released GandCrab variant.

The First Trojan Running Towards a Dash and a Half

Bitcoin is the 'face' of the cryptocurrency industry, but competition does exist within that niche. For malware experts, the existence of alternatives, like Dogecoin, Litecoin, or Ethereum is significant for their possible inclusion into threat campaigns. For instance, the GandCrab Ransomware, a January-dated Trojan, is the first of its kind to demand its payments in Dash, which includes many of the Bitcoin's features, with a few others, like 'InstantSend' transactions.

The distribution of the GandCrab Ransomware's campaign is, apparently, global, and attacks are notable throughout diverse nations around the world. Although malware analysts have yet to look at any of its possible infection routes, the GandCrab Ransomware requires a Windows OS and could arrive through an e-mail attachment, a drive-by-download from an exploit kit, or an RDP-based manual installation. The GandCrab Ransomware uses the same, XOR-based cipher for blocking files as Trojans like the Nemucod Ransomware and the Xorist Ransomware, but is not a direct relative of either one.

Thanks to this attack, the GandCrab Ransomware creates a hostage situation with the infected PC's pictures, music, documents and other media. It also includes a heavily-customized domain for displaying a ransoming message: a request for 1.5 Dash (equal to 1200 USD) for unblocking the files with its decryption service. This part of the GandCrab Ransomware's infrastructure also includes more features than malware experts usually see, such as a built-in 'trial' decryptor for one file, and general statistics on both the infected PC and the encrypted data.

Outpacing the World's First Dashing Trojan

The GandCrab Ransomware is non-specific to any particular country and could be circulating through several means. Strategies that malware researchers find most pertinent to Trojans with the GandCrab Ransomware's style of attacks include:

  • The cybercrooks can hack through the network logins of businesses and other, high-level targets deliberately with significant financing and security. These RDP-based attacks can move through different, network-connected machines laterally and drop the GandCrab Ransomware infections as they proceed.
  • Spam e-mails are another, prominent infection technique, both for businesses and governments, as well as random, recreational users. Most, but not all, attacks in this format include an attached file.
  • For more casual campaigns, victims may compromise their computers unintentionally after loading a website hosting a script or plugin-based drive-by-download exploit, or by downloading a corrupted file from a file-sharing network.

Always sample free decryption opportunities with the assistance of appropriate cybersecurity experts before taking steps that would reward the GandCrab Ransomware's authors, such as paying the Dash ransom. A combination of isolated backups for preserving the media, and anti-malware products for exterminating the GandCrab Ransomware, can protect your computer from all associated damage.

Money does make the world go round, but Trojans are as much a part of the world as anything else. It follows naturally that innovation in currency can make profits for third parties just as much as it can bolster the bank accounts of ordinary workers.

GandCrab Variations Amass

Versions 1 and 2 – GandCrab '.GDCB'

The first GandCrab ransomware attacks, which reportedly took off at the end of January, relied on popular exploit kits such as RIG and Grandsoft, aiming to lure PC users into clicking on malicious links falsely warning about security flaws in programs such as Adobe Flash and Internet Explorer. The actual GandCrab payload collected both system and personal data, killing all running processes that might interfere with its execution. It then generated the key pair (public and private) and encrypted the user's data, adding the .GDCB suffix to each file and sending the private key to the Command-and-control server. The ransom note – a text file which loaded following a PC restart – urged victims to pay 1.5 DASH (worth approx. $1,200.00 at the time) in exchange for the private key. Since the latter resided in the C2 server only accessible from a closed TOR network, infected users had no other way of recovering their files for the time being than paying the ransom.

To widen the scope of the infection, GandCrab's creators went out of their way to diversify the distribution of the ransomware. In addition to utilizing exploit kits, they also took advantage of regular email spamming, embedding a malicious JS or DOC payload in an attached ZIP archive. The Necurs botnet and the EITest infection chain came into play, as well. Last but not least, they hackers behind GandCrab launched the GandCrab Affiliate Program letting affiliates collect 60% to 70% of the proceeds from each infected PC. The generous offer reportedly attracted dozens of cyber enthusiasts, some of which are believed to have carried out hundreds of successful infections to date. In less than a month, the GandCrab ransomware struck over 50,000 PC users worldwide, raking in anywhere between $300,000.00 and $600,000.00.

On February 28, 2018, Europol revealed a decryption tool for this first incarnation of the GandCrab ransomware, available for free on NoMoreRansom. The GandCrab v1 decryptor became a reality following a successful hack into the C2 server storing the RSA private keys for all affected users. The server utilized the non-sanctioned '.bit' Top-Level Domain (TLD). The tool allowed for full data recovery for anyone who used it. However, the GandCrab story wasn't over yet.

Version 3 – GandCrab '.CRAB'

While the team behind GandCrab conceded defeat in a statement written in Russian, it quickly commenced work on a new, improved GandCrab variant. The first GandCrab v3 attacks took place throughout March and April. This time, the ransomware's creators took advantage of Magnitude – an exploit kit otherwise known for distributing other notorious ransomware threats such as Magniber and Cerber – to carry out fileless attacks against target PCs. Unlike v1 and v2, which appended the .GDCB suffix, GandCrab v3 added a different extension to every encrypted file - .CRAB. While the new ransom note – a text file called CRAB-DECRYPT.txt – also hinted that a ransom payment is due for a decryptor, it neglected to mention both the precise amount required and the virtual currency. You had to open a dedicated web page via the TOR browser to see the 0.8 DASH (approx. $500.00) decryptor price.

GandCrab v3 tied up a few loose ends to make sure outsiders could no longer hack into the master server. This enhanced version shared a similar infection process with v1 and v2. First, it would collect system configuration data and use it to assign a Ransom ID to each targeted PC. Second, just like the older Cerber Ransomware, GandCrab v3 would kill all processes blocking write access to the targeted files. Otherwise, the malware would not be able to encrypt a file if it is already open in another program. Finally, it'd deploy an AES-256 algorithm to encrypt the data and generate an RSA-2048 key pair (public and private). In the event of a successful attack, GandCrab would connect to the C2 server and delete any backups created by Microsoft's Volume Shadow Copy Service (VSS).
In addition to the magnitude EK, the crooks behind GandCrab v3 also relied on spam emails, smuggling the ransomware in a JS file (masked as a PDF file) embedded in a 7z archive. The subject of the spam emails usually referred to such documents as payment invoices and order confirmations, to name but a few. The fileless infection starts as soon as the unsuspecting recipient of the email has:

  • unzipped the archived attachment
  • opened the pseudo PDF file and
  • enabled Macros when prompted to do so

The slightly modified GandCrab v3.1 variant, which appeared later on, featured a few minor changes in the source code, as well as a new required ransom amount of USD 800,00.00 payable in either DASH or Bitcoin.
While the .CRAB variants of the ransomware can be removed from an infected system either by hand or via a reliable antimalware application; no existing tools are allowing for full data recovery yet. However, if you extract the RC4 key used to encrypt GandCrab's subsequent communication with the C2 server, you could stand a chance of recovering your data as long as you keep a log of this communication on your machine.

Version 4 – GandCrab '.KRAB'

GandCrab v4 debuted in July 2018 and featured:

  • the new .KRAB extension appended to every encrypted file
  • the Tiny Encryption Algorithm (TEA) in place of AES-256
  • a new infection vector which spread GandCrab v4 disguised as cracks for popular software programs

When executed, the fake software crack dropped the actual GandCrab v4. The latter collected PC configuration details to determine if the targeted PC user had a Russian system locale and keyboard layout. If that were the case, the infection went no further, and the PC remained unscathed. Otherwise, the infection proceeded as GandCrab v4 stopped some system processes, creating a unique URL for each infected user. This time, it was a Microsoft Cryptographic Provider that generated the public/private key pair. As soon as the data encryption process had come to an end, GandCrab v4 launched the ransom note. Titled KRAB-DESCRYPT.txt, itnote demanded that victims access a particular web page via the TOR network to get payment instructions. The page contained a countdown timer and an asking price of 2.58 DASH (worth about $400,00 at the time). The timer gave every user 48 hours to pay the ransom before the required amount doubled.

Versions 5.xx – GandCrab '.[RANDOM-CHARACTERS]'

The fifth and most recent generation of GandCrab Ransomware variants originated in September 2018, with a few v5 modifications having since joined in (dubbed v5.01, v5.02, etc.) as a result of GandCrab's Ransomware-as-a-Service (RaaS) Affiliate program.

GandCrab v5's primary mode of distribution is via malware-laden websites which store the Fallout EK. Prospective victims usually visit such sites after clicking on seemingly innocuous web ads which eventually turn out to be nothing short of malicious advertisements. The scope of the encryption covers personal files stored on the targeted user's PC, as well as all the data stored on the network-shared folders (if any). Unlike previous versions, GandCrab v5 appends a random five-letter extension to the files it encrypts. That means each infected user gets a different five-letter extension.

The GandCrab 5.0.5 Ransomware is a threat that blocks access to specific files by using an RSA-2048 and Salsa20 encryption algorithms. It uses a pattern of five random characters to generate file extensions. The GandCrab 5.0.5 Ransomware takes random letters and places them at the end of each file name of the affected data. In one instance, the symbols were 'cyykg,' for example. Once this encryption is complete, the GandCrab 5.0.5 Ransomware also creates a text file named with the same pattern of characters, as well as the word DECRYPT. The note asks for a ransom in exchange for giving access to the encrypted files, but there is no guarantee that paying the ransom the criminals will release the files of any affected users. The updated ransom note may have the following text within:

All your files, documents, photos, databases and other important files are encrypted and have the extension: .ROTXKRY
The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files.
The server with your key is in a closed network TOR. You can get there by the following ways:

| 0. Download Tor browser - hxxps://www.torproject.org/

| 1. Install Tor browser
| 2. Open Tor Browser
| 3. Open link in TOR browser: hxxp://gandcrabmfe6mnef.onion/113737081e857d00
| 4. Follow the instructions on this page

On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.


---END PC DATA---"

The GandCrab 5.0.5 Ransomware is a new version released after the appearance of the free decryptor created by Europol in partnership with the international community of anti-virus companies. The decryptor in question can return the files to their original state for the affected users safely, but only for those that were encrypted by the versions 2,3 and 4 of GandCrab. At this time, the GandCrab 5.0.5 Ransomware doesn't have a working decryptor that the users can utilize to regain access to their files.

Update December 3rd, 2018 — GandCrab 5.0.9 Ransomware

The GandCrab 5.0.9 Ransomware is the latest update to the infamous GandCrab Ransomware family. This update lacks major improvements, but it is still able to encrypt a large number of files swiftly and then extort their owner for money. Unfortunately, latest versions like this one are still impossible to decrypt for free so that the victims of the GandCrab 5.0.9 Ransomware might not be left with many reliable recovery options.

The GandCrab 5.0.9 Ransomware update may use a random five character extension to mark the locked files, as well as to form the name of the ransom note file. The sample of the GandCrab 5.0.9 Ransomware that malware researchers spotted in the wild uses the '.WWZAF' extension to mark the files, and the 'WWZAF-DECRYPT.txt' ransom note to deliver decryption instructions. As usual, the authors of the harmful program are looking to receive a hefty payment in exchange for their decryption service.

Related Posts