GandCrab is currently distributed through a Seamless malvertising campaign that attempts to install the ransomware via the RIG exploit kit and GrandSoft exploit kit. This ransomware variant appends .GDCB to the names of encrypted files and skips files whose path contains any of the following: \ProgramData\, \Program Files\, \Tor Browser\, Ransomware, \All Users\, \Local Settings\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, GDCB-DECRYPT.txt, .sql. GandCrab employs several NameCoin .BIT domains for its Command and Control (C2) servers.

GandCrab is the first documented ransomware to accept payments in the form of DASH cryptocurrency. A ransom note named GDCB-DECRYPT.txt is placed in multiple locations on the infected machine and demands a payment of 1.54 DASH ($1,170 USD). Victims are instructed to download the TOR browser or visit one of several provided TOR browser gateways for additional payment instructions.

2/8/2018: A malspam campaign is distributing GandCrab via malicious email attachments disguised as receipts. The infection chain begins when a user clicks on the Captcha field for the PDF document which initiates the download of a word document. If macros are enabled to run, GandCrab is downloaded and installed on the victim’s machine via PowerShell.  

  • Bleeping Computer provides additional information on GandCrab here.
  • Malwarebytes Labs provides additional analysis here.
  • The NJCCIC is not currently aware of any free decryption tools available for GandCrab.

Image Source: Bleeping Computer