SecurityBrief Asia logo
Story image

GandCrab: The 'agile' ransomware that is updated in real time

27 Mar 2018

The GandCrab ransomware has been making headlines recently for being one of the few malware strains that developers update in real time and according to Check Point’s research team, even ransomware is agile now.

By mid-March 2018, the GandCrab ransomware had infected more than 50,000 systems and snatched up to US$600,000 from victims since its debut in January.

Most infections were across the US, UK and Scandinavia, however attacks have also been spotted in Australia and Israel.

Check Point researchers say GandCrab has its own affiliate programme on the dark web, which may be a haven for more than 80 affiliates.

This programme, like many others, allows cybercriminals with few technical skills to run their own ransomware sprees.

The programme even provides advice and encouragement about what regions may be the most profitable. It can pay as much as 30-40% of ransom revenues to the developer.

The ransomware, which is primarily delivered by spam campaigns as well as the GrandSoft and Rig exploit kits.

The ransomware may be the work of a suspected Russian developer, may well be under-engineered but somehow, still effective.

“For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” researchers say in a blog.

Security experts managed to develop a GandCrab decryption tool but the ransomware creator was clearly watching. The creator quickly changed the ransomware to make the decryptor ‘useless’.

What’s more, GandCrab is able to avoid signature-based antivirus tools and test itself against them. This allows the ransomware to ‘maintain a fully undetected status’.

Check Point used its own anti-ransomware tools to further analyse GandCrab from a simulated infection.

“The execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware,” Check Point explains.

“In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence,” Check Point concludes.

Story image
Cohesity appoints its very first CISO
In the newly created role, new appointee Brian Spanswick will focus on advancing and optimising IT and security for Cohesity and its customers, the company says.More
Story image
5G network security a US$9 billion dollar opportunity - report
The cloud-native nature of 5G networks will have a disruptive and positive impact on the cybersecurity industry in the next few years, with 5G network security presenting a US$9 billion enterprise market opportunity by 2025.More
Story image
FortiGuard appoints former cyber warfare officer
Former RAAF cyber warfare officer Mark Robson has been appointed as senior tactical threat analyst in FortiGuard’s managed detection and response team, FortiResponder.More
Link image
Sophos solution steps up the MDR game
Other Managed Detection and Response services simply notify you of attacks. With Sophos Managed Threat Response, a team of threat hunters take targeted actions to neutralise advanced threats.More
Story image
Why a more secure organisation is a collective responsibility
With vast volumes of data moving to the cloud, many IT professionals are frequently challenged to protect their enterprise environment, and there is a greater focus being placed on advancing cybersecurity strategies.More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More