Story image

GandCrab: The 'agile' ransomware that is updated in real time

27 Mar 18

The GandCrab ransomware has been making headlines recently for being one of the few malware strains that developers update in real time and according to Check Point’s research team, even ransomware is agile now.

By mid-March 2018, the GandCrab ransomware had infected more than 50,000 systems and snatched up to US$600,000 from victims since its debut in January.

Most infections were across the US, UK and Scandinavia, however attacks have also been spotted in Australia and Israel.

Check Point researchers say GandCrab has its own affiliate programme on the dark web, which may be a haven for more than 80 affiliates.

This programme, like many others, allows cybercriminals with few technical skills to run their own ransomware sprees.

The programme even provides advice and encouragement about what regions may be the most profitable. It can pay as much as 30-40% of ransom revenues to the developer.

The ransomware, which is primarily delivered by spam campaigns as well as the GrandSoft and Rig exploit kits.

The ransomware may be the work of a suspected Russian developer, may well be under-engineered but somehow, still effective.

“For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” researchers say in a blog.

Security experts managed to develop a GandCrab decryption tool but the ransomware creator was clearly watching. The creator quickly changed the ransomware to make the decryptor ‘useless’.

What’s more, GandCrab is able to avoid signature-based antivirus tools and test itself against them. This allows the ransomware to ‘maintain a fully undetected status’.

Check Point used its own anti-ransomware tools to further analyse GandCrab from a simulated infection.

“The execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware,” Check Point explains.

“In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence,” Check Point concludes.

Symantec releases neural network-integrated USB scanning station
Symantec Industrial Control System Protection Neural helps defend against USB-borne cyber attacks on operational technology.
SingleSource scores R&D grant to explore digital identity over blockchain
Callaghan Innovation has awarded a $318,000 R&D grant to Auckland-based firm SingleSource, a company that applies risk scoring to digital identity.
Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Spark Lab launches free cybersecurity tool for SMBs
Spark Lab has launched a new tool that it hopes will help New Zealand’s small businesses understand their cybersecurity risks.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t.