Story image

GandCrab: The 'agile' ransomware that is updated in real time

27 Mar 2018

The GandCrab ransomware has been making headlines recently for being one of the few malware strains that developers update in real time and according to Check Point’s research team, even ransomware is agile now.

By mid-March 2018, the GandCrab ransomware had infected more than 50,000 systems and snatched up to US$600,000 from victims since its debut in January.

Most infections were across the US, UK and Scandinavia, however attacks have also been spotted in Australia and Israel.

Check Point researchers say GandCrab has its own affiliate programme on the dark web, which may be a haven for more than 80 affiliates.

This programme, like many others, allows cybercriminals with few technical skills to run their own ransomware sprees.

The programme even provides advice and encouragement about what regions may be the most profitable. It can pay as much as 30-40% of ransom revenues to the developer.

The ransomware, which is primarily delivered by spam campaigns as well as the GrandSoft and Rig exploit kits.

The ransomware may be the work of a suspected Russian developer, may well be under-engineered but somehow, still effective.

“For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” researchers say in a blog.

Security experts managed to develop a GandCrab decryption tool but the ransomware creator was clearly watching. The creator quickly changed the ransomware to make the decryptor ‘useless’.

What’s more, GandCrab is able to avoid signature-based antivirus tools and test itself against them. This allows the ransomware to ‘maintain a fully undetected status’.

Check Point used its own anti-ransomware tools to further analyse GandCrab from a simulated infection.

“The execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware,” Check Point explains.

“In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence,” Check Point concludes.

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.