GandCrab is a ransomware-as-a-service variant that was discovered in early 2018 by experts at cyber security firm LMNTRIX. Described as agile ransomware, the actors behind this strain started by publishing the least well-built malware that could possibly work, and improved it as they went along. Advertised in the Russian hacking community on the dark web, this strain is operated in an affiliates program, with those joining the program paying 30%-40% of their earned ransom revenues to the GandCrab author. In return, affiliates get a full-featured web panel and technical support.
How The Attack Works
RIG and GrandSoft exploit kits are utilized to distribute this ransomware strain via phishing emails send to victims. Within the first month of distribution, it was estimated that the GandCrab strain infected about 50,000 computers, most of them in Europe, asking each victim for ransoms between $400-$700,000 in DASH cryptocurrency.
GandCrab v4 Features
An updated version of the strain seen in the wild of July 2019 had some interesting features not previously seen:
GandCrab and Vidar - A Nasty Malware Hybrid
Almost a year after the strain was first discovered, a hybrid attack combining GandCrab with Vidar, a data harvesting malware was detected. Vidar exfiltrates a wide variety of data, including passwords, documents, screenshots, stored two-factor authentication information, and cryptocurrency wallets and sends that to its C&C server. Next, GandCrab encrypts the infected system and displays a ransom demand. Fallout Exploit Kit was used to distribute this combo.
Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. Even if the cybercriminals have no use for the stolen data themselves, they can sell it on underground forums. Here is a diagram to show how this attack works:
Should You Be Worried About GandCrab?
The earliest versions were relatively benign, really only working in environments where security is completely lacking (e.g. no antivirus, as AV will easily spot this), and where the existing patch (that has been out since May of 2017) hasn’t been applied. Anyone still running Windows XP or Windows 2003 is at risk. While Microsoft’s patch is available for older operating systems (with the exception of Windows 2000), many AV solutions no longer support these older OSes, making them prime targets for this new and improved ransomware variant.
Bitdefender has a decryption for this strain: https://labs.bitdefender.com/2018/10/gandcrab-ransomware-decryption-tool-available-for-free/
UPDATE: As of May 2019, cybercriminals behind GandCrab announced they were closing up shop and retiring after having allegedly earned more than $2 billion in extortion payments from victims.