Story image

GandCrab: The 'agile' ransomware that is updated in real time

27 Mar 2018

The GandCrab ransomware has been making headlines recently for being one of the few malware strains that developers update in real time and according to Check Point’s research team, even ransomware is agile now.

By mid-March 2018, the GandCrab ransomware had infected more than 50,000 systems and snatched up to US$600,000 from victims since its debut in January.

Most infections were across the US, UK and Scandinavia, however attacks have also been spotted in Australia and Israel.

Check Point researchers say GandCrab has its own affiliate programme on the dark web, which may be a haven for more than 80 affiliates.

This programme, like many others, allows cybercriminals with few technical skills to run their own ransomware sprees.

The programme even provides advice and encouragement about what regions may be the most profitable. It can pay as much as 30-40% of ransom revenues to the developer.

The ransomware, which is primarily delivered by spam campaigns as well as the GrandSoft and Rig exploit kits.

The ransomware may be the work of a suspected Russian developer, may well be under-engineered but somehow, still effective.

“For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” researchers say in a blog.

Security experts managed to develop a GandCrab decryption tool but the ransomware creator was clearly watching. The creator quickly changed the ransomware to make the decryptor ‘useless’.

What’s more, GandCrab is able to avoid signature-based antivirus tools and test itself against them. This allows the ransomware to ‘maintain a fully undetected status’.

Check Point used its own anti-ransomware tools to further analyse GandCrab from a simulated infection.

“The execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware,” Check Point explains.

“In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence,” Check Point concludes.

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.