- The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes.
- This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers.
It was only a few months back that free decryption tools were made available for GandCrab version 5.0 - 5.0.3. And, while these tools are yet to be made public, a new version of GandCrab has appeared. The developers of GandCrab released the new version - GandCrab v5.1 - within 24 hours of the release of the decryption tools.
According to an extensive report from Coveware, the latest version of the ransomware comes with a variety of distribution changes and UX updates to the GandCrab TOR sites.
Multiple attack vectors and distribution techniques
Highlighting on the attack vectors of the ransomware, the researchers said, “The primary attack vector for ransomware remains RDP ports, but GandCrab has a diverse array of distribution methods. While RDP-based ransomware attacks remain popular, automated attacks using exploit kits such as Fallout EK, Emotet, or credential stealers like Vidar have been linked to GandCrab infections as well.”
Given the wide use of these broadly available toolkits, the ransomware authors have increased the average size of GandCrab ransomware.
Hidden private chat
The ransomware’s TOR site comes with a hidden private chat that can be enabled using one of the discount codes. This allows dishonest data recovery firms to hide the final cost of the GandCrab decryption process from its customers, along with their chats with the GandCrab support.
The discount code can be requested over chat. However, it can only be activated on the systems of targeted users.
“After entering the code, the applicable discount is displayed and the USD ransom amount on the payment pages is automatically adjusted. Discounts range from 5-20% depending on the size of the ransom,” the Coveware researchers added.
The payment process for GandCrab v5.1 remains the same. Here, the affected users are required to pay the ransom in Dash rather than in Bitcoin. “The wallet address for each page is unique and is rigged to trigger an updated screen on the TOR site once the correct amount of coins hits the wallet,” the researchers explained.