David Balaban


Gandcrab — the Most Prevalent Ransomware in 2019

Gandcrab — the Most Prevalent Ransomware in 2019

File-encrypting ransomware has gone through significant ups and dramatic downs over the past few years. Overshadowed by the influx of malicious cryptocurrency mining applications in late 2017, this area of cybercrime took a nosedive only the most durable strains could survive. A sample called GandCrab made its debut in the midst of this hiatus and became a game changer.

With the first infection instances documented in January 2018, this lineage quickly gained traction and came to dominate the extortion landscape. Its original variant was crafted competently enough to prevent free decryption, so the users who suddenly discovered their personal files being appended with the bizarre .GDCB extension had no chances to restore hostage data beyond the ransom way. Then came editions that blemished files with the .CRAB and .KRAB strings, superseded by a series of the pest’s personas using random victim-specific extensions.

As of March 2019, the GandCrab family has spawned 9 distinct variants along with subversions and reached v5.2. Courtesy of Bitdefender that recently released a free decryptor supporting iterations up to 5.1, numerous victims were able to reinstate their valuable data assets. However, the infection in its current form is not decryptable this way, proving that researchers are always one step behind.

Distribution and other tricks

Here’s an overview of the mechanisms employed by the GandCrab crew in the course of the culprit’s evolution to spread it on a large scale and diversify the shady monetization portfolio.

· An intricate phishing campaign that took root in late January 2019 delivered GandCrab payloads disguised as an emergency exit map update. The emails looked like a fine-tuned instruction for the recipients to leave their building in the case of fire or any other disaster requiring evacuation. Such a ticklish subject encouraged most users to open the attached Word document and enable macros to see the contents. Doing so launched an inconspicuous PowerShell script that downloaded the ransomware behind the scenes.

· In February 2019, security analysts unveiled an unethical partnership between GandCrab operators and sketchy data recovery companies. These firms claimed to provide seamless file decryption for a fee higher than the actual size of the ransom. Lots of users who were at their wit’s end trying to get their digital lives back opted for such intermediary services, only to pay more than the extortionists wanted. It turned out that the unscrupulous middlemen could access a hidden discount feature on the ransomware Tor payment page, thus earning some dirty extra funds.

· Although largely malevolent, the GandCrab campaign had minor shades of sympathy for the plagued users. In mid-October 2018, the cybercriminals decided to release the decryption keys for victims living in Syria. The motivation was a tweet by a Syrian man stating that the ransomware had locked down the photos of his deceased children. The extortionists uploaded a ZIP file containing the keys to an underground hacking forum and wrote they should have excluded Syria from the list of targeted countries in the first place. Security vendors shortly updated their free decrypt tools, thus automating the recovery for users from the Middle Eastern country.

· The very first outbreak of GandCrab demonstrated that it wasn’t a run-of-the-mill strain. It was the only sample that accepted ransoms in the privacy-centric Dash cryptocurrency alongside Bitcoin. Furthermore, contrary to the majority of ransom Trojans, it was doing the rounds via the Rig and GrandSoft exploit kits that used flaws in unpatched software to drop the deleterious binary. All the elements of this campaign were competently designed from the ground up, suggesting that the adversaries were skilled cybercrooks.

· The white hats have made a few breakthroughs in fending off the GandCrab epidemic. The earliest of these initiatives hit the headlines in late February last year. Romanian law enforcement orchestrated an operation that resulted in the seizure of some Command & Control servers used by the ransomware distributors. The obtained cryptographic keys enabled Bitdefender to create a decryptor for GandCrab v1. Unfortunately, the malefactors launched a new variant a week after that could no longer be cracked by the tool.

· One more anti-ransomware move by South Korean security software provider AhnLab entailed a sort of vengeance by GandCrab makers. In July 2018, the analysts came up with a kill switch that prevented the crypto virus from mutilating one’s files. The app made it look as if the computer were already infected with this sample, which forced GandCrab to terminate the raid.

The perpetrators responded to this maneuver by equipping the new ransomware variant with a zero-day exploit targeting AhnLab Lite antivirus suite. In theory, this could expose the AV to denial-of-service issues. In practice, the security tool detected and blocked the malicious code before the bug could cause BSOD or any other damage.

· GandCrab v5.0 leveraged a flaw in Windows Task Scheduler’s ALPC (Advanced Local Procedure Call) component in September 2018. By taking advantage of this zero-day vulnerability, the ransomware achieved a privilege escalation effect and could execute arbitrary processes on a contaminated computer. In particular, it deleted Shadow Volume copies of the victim’s data and generated the desktop background warning this way. Although Microsoft patched this exploit the same month, numerous machines remained exposed as users lingered with applying the update.

· In early September 2018, the threat actors behind GandCrab added another exploit kit dubbed Fallout to their distribution repertoire. Although this malicious framework had made its appearance only a week before, it already gained notoriety for spreading a malware downloader called SmokeLoader and a number of nuisance apps. Fallout used known loopholes in out-of-date versions of Adobe Flash Player and Windows VBScript engine for remote code execution. The exploit kit deposited GandCrab v4 (.KRAB extension) as a second stage payload onto a vulnerable computer.

· The biggest win of security researchers in their battle against GandCrab took shape in February 2019. Bitdefender updated their decryption tool that now supports all major versions of the ransomware up to v5.1. This became possible due to the vendor’s collaboration with Europol and law enforcement entities from different countries. The joy was short-lived, though. A couple of days afterward, the felons released GandCrab 5.2 variant that cannot be decrypted.


GandCrab is currently the world’s top ransomware menace that’s thriving and evolving despite all efforts of security think tanks. Although the achievements in restoring hostage data are significant and absolutely commendable, the malefactors always have new tricks up their sleeve to outstrip the analysts.

Under these circumstances, the proactive defense is the best way to stay safe:

· Users should regularly back up their most valuable files.

· Keep the operating system and third-party software up to date

· Treat dodgy-looking email attachments and links with caution.

· Use antivirus and VPN software.

More by David Balaban

Topics of interest

More Related Stories