GandCrab

GandCrab is currently distributed through a Seamless malvertising campaign that attempts to install the ransomware via the RIG exploit kit and GrandSoft exploit kit. This ransomware variant appends .GDCB to the names of encrypted files and skips files whose path contains any of the following: \ProgramData\, \Program Files\, \Tor Browser\, Ransomware, \All Users\, \Local Settings\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, GDCB-DECRYPT.txt, .sql. GandCrab employs several NameCoin .BIT domains for its Command and Control (C2) servers.

GandCrab is the first documented ransomware to accept payments in the form of DASH cryptocurrency. A ransom note named GDCB-DECRYPT.txt is placed in multiple locations on the infected machine and demands a payment of 1.54 DASH ($1,170 USD). Victims are instructed to download the TOR browser or visit one of several provided TOR browser gateways for additional payment instructions.

2/8/2018: A malspam campaign is distributing GandCrab via malicious email attachments disguised as receipts. The infection chain begins when a user clicks on the Captcha field for the PDF document which initiates the download of a word document. If macros are enabled to run, GandCrab is downloaded and installed on the victim’s machine via PowerShell.  

2/28/2018: The malware distribution campaign, EITest, is now distributing GandCrab as part of the HoeflerText Font Update scam. This campaign scrambles text of compromised websites and displays an alert advising the user to download an update to fix the issue. If the user clicks “Update” a file named Font_Update.exe will download and launch GandCrab ransomware on the victim’s machine.

3/6/2018: MalwareHunterTeam detected GandCrab version 2 which utilizes two new hostnames for the Command and Control servers, appends .CRAB to the names of encrypted files, and creates a ransom note named CRAB-Decrypt.txt. Additional changes include the ability to contact the malware developers via the Tox instant messaging service and an updated TOR payment page.

5/4/2018: Researchers with Fortinet discovered a new version, GandCrab v3, which uses Visual Basic Scripts to download the malware and changes the desktop wallpaper to a ransom note. Once files on an infected machine are encrypted, the malware forces a system reboot; however, a coding bug in the ransomware disrupts the reboot process and prevents the Windows Shell from completely loading on machines running Windows 7. As a result, victims with infected Windows 7 machines will only have access to the ransom note wallpaper and a site to download the TOR Browser. The reboot process is successful on affected Windows 10 and Windows 8.1 systems.

7/3/2018: GandCrab V4 appends .KRAB to the names of encrypted files, creates a ransom note named KRAB-DECRYPT.txt, uses the Salsa20 encryption algorithm, and directs victims to a new TOR payment site. This version of GandCrab is believed to be distributed via fraudulent software crack downloads. Currently, there is no free decryption tool available for GandCrab V4.   

  • Bleeping Computer provides additional information on GandCrab here.
  • Malwarebytes Labs provides additional analysis here.
  • Bitdefender released a free decryption tool for GandCrab via the NoMoreRansom project here.
  • AhnLab released a vaccine app that prevents GandCrab V4.1.2 from encrypting a user's files. The app is available for download here and here

Image Source: Bleeping Computer