Story image

GandCrab: The 'agile' ransomware that is updated in real time

27 Mar 2018

The GandCrab ransomware has been making headlines recently for being one of the few malware strains that developers update in real time and according to Check Point’s research team, even ransomware is agile now.

By mid-March 2018, the GandCrab ransomware had infected more than 50,000 systems and snatched up to US$600,000 from victims since its debut in January.

Most infections were across the US, UK and Scandinavia, however attacks have also been spotted in Australia and Israel.

Check Point researchers say GandCrab has its own affiliate programme on the dark web, which may be a haven for more than 80 affiliates.

This programme, like many others, allows cybercriminals with few technical skills to run their own ransomware sprees.

The programme even provides advice and encouragement about what regions may be the most profitable. It can pay as much as 30-40% of ransom revenues to the developer.

The ransomware, which is primarily delivered by spam campaigns as well as the GrandSoft and Rig exploit kits.

The ransomware may be the work of a suspected Russian developer, may well be under-engineered but somehow, still effective.

“For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” researchers say in a blog.

Security experts managed to develop a GandCrab decryption tool but the ransomware creator was clearly watching. The creator quickly changed the ransomware to make the decryptor ‘useless’.

What’s more, GandCrab is able to avoid signature-based antivirus tools and test itself against them. This allows the ransomware to ‘maintain a fully undetected status’.

Check Point used its own anti-ransomware tools to further analyse GandCrab from a simulated infection.

“The execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware,” Check Point explains.

“In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence,” Check Point concludes.

Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.