GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Minimalist · Feb 4, 2018

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.
Click to expand...

https://securityaffairs.co/wordpress/68636/malware/gandcrab-raas.html

cruelsister · Feb 4, 2018

The crab has actually been out for a while now and pushed by various kits. Nothing really special (my cat is rather dismissive of it...).

Minimalist · Feb 28, 2018

Got that itchy GandCrab feeling? Ransomware decryptor offers relief

White hats have released a free decryption tool for GandCrab ransomware, preventing the nasty spreaders of the DIY malware from asking their victims for money.
Click to expand...

https://www.theregister.co.uk/2018/02/28/gandcrab_decryptor/

FanJ · Feb 28, 2018

Europol Press Release - 28 Feb 2018
"Free data recovery kit for victims of GandCrab ransomware now available on No More Ransom"
https://www.europol.europa.eu/newsr...dcrab-ransomware-now-available-no-more-ransom

GandCrab has made over 50 000 victims in less than one month

As of today, a new decryption tool for victims of the GandCrab ransomware is available on www.nomoreransom.org. This tool has been released by the Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol.
Click to expand...

Thanks to the efforts of the Romanian authorities, Bitdefender and Europol, the tool is available for free on No More Ransom and on Bitdefender’s webpage. It works for all known versions of the GandCrab ransomware family. The release of this new tool is yet another example of the effectiveness of public - private partnerships like No More Ransom, an initiative which now encompasses 120 partners, the Romanian Police most recently joining as an associate partner.
Click to expand...

The Bitdefender site: https://labs.bitdefender.com/tag/decryption-tool/

For the No More Ransom project see:
https://www.nomoreransom.org/en/index.html
https://www.wilderssecurity.com/thr...anies-join-forces-to-fight-ransomware.387365/

itman · Mar 1, 2018

EITest HoeflerText Scam Distributing GandCrab & Netsupport Manager

Even though Bitdefender released a GandCrab decryptor today, it is not stopping the GandCrab affiliates from continuing to use new methods to distribute their ransomware. Today malware traffic analysis nao_sec discovered that EITest was being used to distribute the GandCrab ransomware as part of the HoeflerText Font Update scam.

This social engineering scam scrambles the text of a hacked site when a visitor reaches it through a search engine. The JavaScript then issues an alert stating that the scrambled text was due to a browser font not being found and that a user should download and install a browser Font Pack to fix the problem.
Click to expand...

https://www.bleepingcomputer.com/ne...distributing-gandcrab-and-netsupport-manager/

guest · Apr 13, 2018

Compile Error Halts Some GandCrab Ransomware Infections
April 13, 2018
https://www.bleepingcomputer.com/ne...or-halts-some-gandcrab-ransomware-infections/

Not all GandCrab versions are affected, but only a GandCrab operation that tries to infect victims via malicious Word files users receive via spam emails.

These Word documents contain malicious VBScript code hidden inside a Word macro. If users download and open these Word files, then allow the macro to execute, the VBScript downloads and installs the GandCrab ransomware.
Compile error spotted earlier this week
While investigating this malspam campaign, security researcher Brad Duncan has spotted a compile error that blocks the VBScript from executing, meaning users won't get infected with GandCrab.
"Due to this compile error in the macro code, I can't say how many potential victims might have been spared from an infection since 2018-04-10," Duncan wrote on the SANS ISC forum yesterday.
Error will get fixed
"I'm sure the compile error in the [malspam] campaign will be resolved sooner or later," Duncan said. "When that happens, the normal risk of infection will return to any improperly-managed Windows hosts hit by this malspam."
Click to expand...

Minimalist · May 4, 2018

A bug in GandCrab ransomware V3 accidentally locks systems running Windows 7

Like other ransomware, such as Locky and Sage, the GandCrab ransomware v3 also changes the wallpapers of the infected systems. However, the researchers at FortiGuard Labs that analyzed this new feature discovered a bug that can accidentally lock systems running Windows 7 OS.

The feature correctly works for both Windows 10 and Windows 8 systems.
Click to expand...

https://securityaffairs.co/wordpress/72142/cyber-crime/gandcrab-ransomware.html

Minimalist · May 11, 2018

GandCrab ransomware attacks from legitimate websites

GandCrab[1] is definitely the highlight in the ransomware world this year. The file-encrypting virus keeps improving and looking for new ways to reach potential victims. This time researchers found malware lurking on the legitimate, but compromised, websites.

Researchers from Cisco[2] spotted four ransomware distribution campaigns since the beginning of May. According to the analysis, the attack was launched by exploiting vulnerabilities in outdated software, such as MySQL or WordPress.

The compromised websites downloaded malware payload on the computer as soon as a victim opened macro-enabled Word document sent via malicious spam emails. Within a couple of minutes, all targeted data on the computer becomes useless due to .gdcb or .crab file extensions.
Click to expand...

https://www.2-spyware.com/gandcrab-ransomware-attacks-from-legitimate-websites

guest · Jul 3, 2018

GandCrab V4 Released With the New .KRAB Extension for Encrypted Files
July 3, 2018
https://www.bleepingcomputer.com/ne...h-the-new-krab-extension-for-encrypted-files/

Unfortunately, at this time, victims of GandCrab v4 cannot decrypt their files for free.
GandCrab v4 distributed via fake crack sites
According to a malware analyst who goes by the alias Fly, one of the methdos GandCrab v4 is being distributed is through fake software crack sites. The ransomware distributors will hack legitimate sites and setup fake blogs that offer software crack downloads. When a user downloads and runs these cracks, they will install the GandCrab Ransomware onto the computer.
GandCrab begins using the Salsa20 encryption algorithm
According to debug messages found in GandCrab v4 by Malwarebytes security researcher Marcelo Rivero, it appears that the ransomware has switched its encryption algorithm to Salsa20.
Click to expand...

guest · Jul 9, 2018

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does
July 9, 2018
https://www.theregister.co.uk/2018/07/09/legacy_windows_ransomware/

Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003.

A new version of the GandCrab (v4.1) ransomware has an SMB exploit spreader that works against XP and 2003, as well as later versions of Windows. It's the first ransomware to actually "support" legacy systems, according to UK infosec practitioner Kevin Beaumont.

GandCrab v4.1 spreads via an SMB exploit. Previous versions of the malware were detected by antivirus scanners and this will probably be the case with the latest, which is sold as a kit and spread by script kiddies looking to make a dishonest buck.

Beaumont's write-up of the threat and suggested mitigations can be found here.
Click to expand...

guest · Jul 16, 2018

No Evidence of GandCrab Leveraging SMB Exploit – Yet
July 16, 2018
https://threatpost.com/no-evidence-of-gandcrab-leveraging-smb-exploit-yet/134017/

However, while the new version contains a new network communication method, researchers said they could not find evidence that the malware can self-propagate via the Windows SMB exploit.

“Since we had not seen any technical report for the claim, we decided to investigate and confirm this rumour since this functionality was not observed during our previous analysis. However, this was to no avail,” the researchers said in a recent post about the newest GandCrab sample.

Researchers said they found this module string in version 4.0 of the malware (not in samples of the most recent 4.1 version, however), but could not find any actual function that resembles the reported exploit capability.

Despite a lack of evidence for the “SMB exploit,” researchers at Fortnet warned that GandCrab will continue to evolve and may adopt the method in the future.
Click to expand...

guest · Jul 19, 2018

Vaccine Available for GandCrab Ransomware v4.1.2
July 19, 2018
https://www.bleepingcomputer.com/news/security/vaccine-available-for-gandcrab-ransomware-v412/

AhnLab, a South Korea-based cyber-security firm, has released today a vaccine app that blocks the GandCrab ransomware from taking root and encrypting users' files.

This vaccine app works by creating a special file on users' computers that the GandCrab ransomware checks before encrypting user data.
This file is named [hexadecimal-string].lock and is saved at the following locations. [...]
Vaccine app tricks GandCrab ransomware
The hexadecimal ID is generated based on the computer's volume information of the root drive and a custom Salsa20 algorithm and is unique per user.
Only works with GandCrab v4.1.2
While the current vaccine app blocks GandCrab v4.1.2, it may also be possible to backport the app and prevent older GandCrab v4 versions from infecting users as well.
Click to expand...

guest · Aug 3, 2018

GandCrab Ransomware Author Bitter After Security Vendor Releases Vaccine App
August 03, 2018
https://www.bleepingcomputer.com/ne...r-after-security-vendor-releases-vaccine-app/

The author of the GandCrab ransomware is a little bit bitter at South Korean security vendor AhnLab after the security firm released a vaccine for the GandCrab ransomware.

This bitterness boiled over earlier this week when the GandCrab author contacted Bleeping Computer with the news that the upcoming version of the GandCrab ransomware would contain an alleged zero-day for the AhnLab v3 Lite antivirus.
Retaliation for GandCrab vaccine app
The GandCrab author, who used the pseudonym of "Crabs" in conversations with this reporter, claimed this was payback for AhnLab releasing a vaccine app for the GandCrab ransomware v4.1.2, on July 19.
After receiving the alleged exploit, Bleeping Computer shared the exploit with the AhnLab team.
New GandCrab versions 4.2.1 and 4.3 include AhnLab exploit
We initially did not plan on releasing this article until AhnLab had patched their software, but things changed yesterday when Malwarebytes security researcher Marcelo Rivero, and then others, spotted GandCrab v4.2.1 and GandCrab v4.3.
Click to expand...

Minimalist · Aug 16, 2018

New Ransomware Attacks Use Powerful Encryption to Impede Analysis and Evade Detection

Security researchers reverse engineered the updated GandCrab ransomware and discovered new features that improve its ability to evade detection and impede analysis by defense teams.
Click to expand...

https://securityintelligence.com/ne...ption-to-impede-analysis-and-evade-detection/

guest · Aug 21, 2018

GandCrab’s Rotten EGGs Hatch Ransomware in South Korea
August 20, 2018
https://threatpost.com/gandcrabs-rotten-eggs-hatch-ransomware-in-south-korea/136689/

The VenusLocker group appears to be back, hatching a fresh GandCrab ransomware campaign, so to speak, using the EGG niche file type. The emails with EGG attachments are meant to specifically take aim at South Korean users.

Trend Micro researchers, who first observed the offensive campaign in early August and posted about it today, noted that the attachments are being used to deliver the GandCrab v4.3 ransomware

Trend Micro researcher Donald Castillo in a post Monday cited further evidence that the operators behind the spam are specifically going after South Korean users: The use of the specifically South Korean alphabet, Hangul, in the spam mails’ subject, body and filename attachment.

[...] There are two shortcut .lnk files that are disguised to appear as documents, and an executable that disappears once the user decompresses the EGG file. The hidden executable carries the GandCrab payload; it unpacks once a user clicks on either one of the two files that purport to be the documents.
Click to expand...

guest · Sep 6, 2018

New Fallout Exploit Kit Drops GandCrab Ransomware or Redirects to PUPs
September 6, 2018
https://www.bleepingcomputer.com/ne...ops-gandcrab-ransomware-or-redirects-to-pups/

A new exploit kit called Fallout is being used to distribute the GandCrab ransomware, fake antivirus software, malware downloading Trojans, and other unwanted programs.

First discovered by security researcher nao_sec at the end of August 2018, this kit is installed on hacked sites and will attempt to exploit vulnerabilities on a visitor's computer. The exploited vulnerabilities are for Adobe Flash Player (CVE-2018-4878) and the Windows VBScript engine (CVE-2018-8174).

In a report released today by FireEye, the Fallout Exploit Kit has been observed installing the GandCrab Ransomware on Windows machines and for macOS users will redirect visitors to pages promoting fake antivirus software or fake Adobe Flash Players.

If the computer was successfully exploited, it will cause Windows to download and install a Trojan onto the computer. This Trojan will check for the following processes, and if found, will cause the Trojan to enter an infinite loop and not perform any further malicious activities. [...] Otherwise, it will download and execute a DLL that installs the GandCrab ransomware.
Click to expand...

guest · Sep 15, 2018

New GandCrab variant attacks Florida School District
September 14, 2018
https://www.scmagazine.com/home/news/new-gandcrab-variant-attacks-florida-school-district/

A GandCrab ransomware attack forced Monroe County School District in Florida to shut down its computer systems for at least three days.

This particular ransomware was first spotted in January 2018 being distributed via two distinct exploit kits in a few ongoing campaigns. The version used to attack the school appeared to be a newer version of the malware.

“This particular one was a variant that Symantec hadn’t seen before,” Pat Lefere, executive director of operations and planning for the district told The Miami Herald. “They took all of our files and created a patch for us. It was applied to all servers before bringing them back up.”
Click to expand...

guest · Sep 25, 2018

GandCrab V5 Released With Random Extensions and New HTML Ransom Note
September 25, 2018
https://www.bleepingcomputer.com/ne...h-random-extensions-and-new-html-ransom-note/

GandCrab v5 has been released with a few noticeable changes. The first change is that the ransomware now uses a random 5 character extension for encrypted files and a new HTML ransom note.

It is not currently known how GandCrab v5 is being distributed. Previous versions were utilizing exploit kits and cracks to distribute the ransomware, but it does not appear that exploit kits are currently distributing this version.

Like previous versions, there is no way to decrypt victims of GandCrab v5 for free. For those who wish to discuss this ransom or receive support, you can use our dedicated GandCrab Help & Support topic.
Click to expand...

guest · Sep 26, 2018

GandCrab v5 Ransomware Utilizing the ALPC Task Scheduler Exploit
September 26, 2018
https://www.bleepingcomputer.com/ne...re-utilizing-the-alpc-task-scheduler-exploit/

The GandCrab v5 ransomware has started to use the recently disclosed Task Scheduler ALPC vulnerability to gain System privileges on an infected computer.

GandCrab's use of this vulnerability was first discovered by a malware analyst named Valthek, who posted about it on Twitter. Valthek has told BleepingComputer that this vulnerability appears to be the same one that security researcher Kevin Beaumont posted in his Github repository.
Vaccine for GandCrab updated to support v5
Valthek has also released a vaccine that when run on a computer, prevents it from being infected by GandCrab. While this may protect some users, it should be cautioned that the GandCrab developers could just as easily change their program to bypass this vaccine.
Click to expand...

guest · Sep 27, 2018

Phorpiex worm pivots to infect the enterprise with GandCrab ransomware
September 27, 2018
https://www.zdnet.com/article/phorp...prise-with-ransomware-through-weak-endpoints/

An established botnet and worm malware variant is engaged in a new campaign designed to infect the enterprise with GandCrab ransomware.

Phorpiex/Trik is not sophisticated. Not to be confused with the TrickBot banking Trojan, the malware.
"Phorpiex as a malware family has been around for several years and hasn't changed much in purpose, functionality, or code," researchers from InQuest say.

Phorpiex/Trik will scan the web for Internet-facing Remote Desktop Protocol (RDP) and Virtual Network Computing (VNC) endpoints, via port 5900. In random order, these endpoints are then targeted with brute-force attacks.

This week, version 5 of the ransomware was released which demands payment in the Dash or Bitcoin cryptocurrencies. However, the Phorpiex/Trik campaign appears to be spreading version 4 at present.
Click to expand...

FanJ · Sep 29, 2018

Several Dutch news sites are reporting today about a rise in GanCrab infections with thousands computers infected.
I'm really sorry, those sites are in Dutch.
https://www.rtlnieuws.nl/tech/artikel/4432861/duizenden-ransomware-slachtoffers-gandcrab
https://nos.nl/artikel/2252585-nieuwe-ransomware-gijzelt-duizenden-nederlandse-computers.html

According to the articles there are many computers infected in Holland, Germany, Belgium, UK.

The articles have quotes from:
Thomas Maarseveen of Steel Mountain;
Dave Maasland of ESET NL;
Maarten van Dantzig of Fox-IT.

itman · Sep 29, 2018

Thousands of Dutch people can no longer access the files on their computer due to the new hostage virus GandCrab, reports RTL Nieuws. Only when the victims pay a 'ransom' of more than € 1,000 will they regain access to their files. GandCrab is distributed through attachments in e-mails and by downloading illegal versions of paid software in which the virus is hidden. Increase worldwide infections According to Dave Maasland of cyber security company ESET, there has been a huge increase in the number of infections worldwide since 30 August. There are also two to three times as many reports in the Netherlands as before.
Click to expand...

My guess is its attacking devices that haven't applied this month's cumulative Win update related to the above ALPC Task Scheduler Exploit vulnerability.

guest · Oct 3, 2018

Z-LAB Report – Analyzing the GandCrab v5 ransomware
October 3, 2018
https://securityaffairs.co/wordpress/76763/malware/gandcrab-v5-ransomware.html

Malware researchers at Cybaze ZLab analyzed the latest version of the infamous GandCrab ransomware, version 5.0. Most of the infections have been observed in central Europe, but experts found evidence that the malicious code doesn’t infect Russian users.

The ransomware uses a pseudo-randomic extension (5 characters long), that is different for each infection (some of these extensions are: .txvpq, .rttmc, .mcbot, etc…).

Unlike GandCrab v4, this version is able to kill some processes associated with some popular applications (i.e. Word, Excel, SQLServer etc.) to allow the code to encrypt the files opened by these applications.

Technical details, including IoCs and Yara Rules, are reported in the analysis shared by researchers at the ZLab.
Click to expand...

full ZLAB Malware Analysis Report (PDF): http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf

guest · Oct 11, 2018

Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation
October 10, 2018
https://securingtomorrow.mcafee.com...artners-with-crypter-service-for-obfuscation/

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes).

Despite the agile approach of the developers, the coding is not professional and bugs usually remain in the malware (even in Version 5.0.2), but the speed of change is impressive and increases the difficulty of combating it.

With Version 5, yet another alliance with a criminal service has been formed. The malware crypter service NTCrypt announced that it is partnering with the GandCrab crew. A crypter service provides malware obfuscation to evade antimalware security products.
The NTCrypt-GandCrab partnership announcement offering a special price for GandCrab users.
The partnership between GandCrab and NTCrypt was established in a novel way. At the end of September, the GandCrab crew started a “crypt competition” on a popular underground forum to find a new crypter service they could partner with. NTCrypt applied and eventually won the competition. [...]
Click to expand...

guest · Oct 17, 2018

GandCrab Devs Release Decryption Keys for Syrian Victims
October 17, 2018
https://www.bleepingcomputer.com/ne...s-release-decryption-keys-for-syrian-victims/

The release of these decryption keys was in response to a Tweet where a Syrian victim asked for help after photos of his deceased children were encrypted.

After seeing this tweet, the GandCrab developers posted on a forum that they have released the keys for all Syrian victims. They also stated that it was a mistake that Syria was not added to the original list of countries that GandCrab would not encrypt, but did not say if they would be added going forward.

For victims, in other countries, the developers continue to have no sympathy and have stated they will never release those keys and will delete them when they shut down GandCrab.
Even though these keys have been released, we still need to wait for an antivirus company or security researcher to create a decryptor that can utilize them.
Click to expand...

Log in or Sign up

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Minimalist Registered Member

cruelsister Registered Member

Minimalist Registered Member

FanJ Updates Team

itman Registered Member

guest Guest

Minimalist Registered Member

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

FanJ Updates Team

itman Registered Member

guest Guest

guest Guest

guest Guest

Log in or Sign up

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Minimalist Registered Member

cruelsister Registered Member

Minimalist Registered Member

FanJ Updates Team

itman Registered Member

guest Guest

Minimalist Registered Member

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Minimalist Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

FanJ Updates Team

itman Registered Member

guest Guest

guest Guest

guest Guest

Useful Searches