GandCrab: The tale of the ever-evolving ransomware

GandCrab ransomware was first spotted in January 2018. This ransomware is usually propagated via malspam emails with the help of RIG exploit kit and GrandSoft exploit kit. This ransomware appends .GDCB to the names of the encrypted files.

Worth noting

• GandCrab is the first ransomware to use the DASH currency as a ransom payment.
• Another interesting feature is that GandCrab uses the NameCoin .BIT top-level domains for its C&C server.

Distribution via malspam

In February 2018, researchers observed a malspam campaign disguised as receipts distributing the GandCrab ransomware.

• The malspam emails will have a subject line similar to ‘Receipt Feb-078122’ and include a PDF attachment with names like ‘Feb01221812.pdf’.
• Upon opening the malicious PDF, it will show a prompt that pretends to be a CAPTCHA asking users to confirm they are human.
• Upon clicking the CAPTCHA, the PDF file downloads a malicious MS Word document that tricks users into enabling macros by clicking on the Enable Content button.
• This macro will launch a PowerShell command that downloads and executes the GandCrab ransomware.

Distribution via EI Test Hoefler Text scam

Researchers observed a Hoefler Text update scam, wherein attackers leveraged the EI Test to distribute the GandCrab ransomware.

• If a user clicks on the Update button to update Hoefler text, then a file named Font_Update.exe gets downloaded onto the user’s computer.
• Once executed, the malicious file will install and execute the GandCrab Ransomware.

Version 2, 3, 4 released

A new version of GandCrab v2 was released in March 2018. The next month, another version GandCrab v3 was released, followed by the 4th version in July 2018. GandCrab v2 encrypts files and appends the .CRAB extension to the filenames, while the GandCrab v4 appends the .KRAB extension to the filenames.

Decryptor tools released for GandCrab

In February 2018, Bitdefender released the first free decryptor tool which was used by almost 2,000 home users, companies and non-profits to retrieve their compromised data. Ten months later, Bitdefender released another decryptor for GandCrab versions 1, 4 and 5 up to v5.0.3.

In February 2019, Bitdefender in collaboration with the Romanian Police, Europol, and other law enforcement agencies, has released a new decryptor for GandCrab ransomware version v5.1.

However, attackers have released a new variant of GandCrab v5.2 the same month.

GandCrab v5.2 attacks

Since the release of GandCrab v5.2 in February 2019, it has been used in a couple of attacks.

• Attackers leveraged fake Center for Disease Control (CDC) warning to distribute the GandCrab 5.2 ransomware onto the victims’ systems.
• GandCrab v5.2 has been used to target the Chinese government officials via a phishing campaign that included a malicious archive named ‘03-11-19.rar.
• Last month, a medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients.
• In the latest attack, attackers exploited a vulnerability in Confluence Server and Data Center to distribute GandCrab ransomware as well as a variant of AESDDoS botnet.

This shows the extent to which threat actors can go to perpetrate large scale attacks by continuously improving GandCrab ransomware.