Video: GandCrab tries out some new tactics for ransomware
A recently-released form of ransomware, which has the unusual distinction of being distributed via two different exploit kits, is now being sold ‘as-a-service’ on hacking forums.
GandCrab first emerged in January and was found to be distributed by the RIG exploit kit and GrandSoft exploit kit, two sets of tools which provide attackers with all the tools they need to exploit vulnerabilities to deliver malware.
Usually, exploit kits used to distribute trojans and coin-miners, but they’re also proving to be effective for this form of ransomware.
Those behind GandCrab aren’t keeping their tools to themselves. Researchers at Flashpoint have described to ZDNet how the ransomware being advertised on what’s described as a ‘top-tier Russian hacking forum’.
A translation of a post made on the forum offers would-be crims a ‘partnership program’ for the ransomware, with the creators taking up to 60 percent of the ransom fees paid to their clients. However, successful crooks could earn up to 70 percent of the ransom payments for themselves.
In exchange for taking a cut of the profits, GandCrab’s authors offer their users support and updates for the ransomware — including, if necessary, offering step-by-step instructions via the use of a ticketing system and other features associated with legitimate, rather than criminal, software. It’s all to make the ransomware as easy as possible to distribute and use.
“GandCrab described the ransomware as being designed for maximum usability for both the operators and victims,” said Vitali Kremez, director of research at Flashpoint.
For those who are more cyber-savvy than the lowest level users, GandCrab offers customisation options, allowing the operator to altering the ransom payment — manually, or automatically depending on where in the world the victim is located, to ensure a better chance of payment — and change the file extensions which the ransomware targets for encryption.
Free download: IT leader’s guide to the threat of fileless malware
There aren’t many terms and conditions for buyers of GandGrab-as-a-service to adhere to — but the authors explicitly instruct users not to target Russia or any other country in the Commonwealth of Independent States of former Soviet republics.
While the delivery of GandCrab via exploit kits isn’t normal, once it is on a targeted system, it operates like any other form of ransomware, encrypting the files with a .GDCB extension and demanding a ransom in exchange for giving them back.
However, while most ransomware demands payment in bitcoin, GandCrab instead opts for payment in the lesser known Dash cryptocurrency. While that’s likely, at least partially, down to volatility and hype around bitcoin slowing down transactions, Dash also offers increased privacy compared to bitcoin.
“Dash remains to be favoured by the criminal gang behind GandCrab due to the currency implementations of instant transactions and private transactions that might be favoured in their money laundering operations,” Kremez told ZDNet.
There’s currently no free means of decrypting files locked with GandCrab, but given how it uses known vulnerabilities in Internet Explorer and Flash Player to launch attacks, users can go a long way to protecting themselves from falling victim to it by ensuring all of their software is up to date.
Recent and related coverage
The switch to new digital currencies will make life more difficult, according to one police chief.
Ransomware authors are profiting from the rise of the cryptocurrency — but it’s also bringing some unexpected problems for them and other dark web operators.