All You Need to Know About the GandCrab Ransomware

GandCrab Ransomware

Following the footsteps of ransomware like Petya and WannaCry, GandCrab ransomware created havoc in the first months of 2018 as money-snatching crab loitering online. With the agenda of joining the forum of illegal hacking, GandCrab ransomware became one of the widely-distributed trojans.

Later, the South Korean security vendor AhnLab released a vaccine for the same and saved the victims from paying millions. Recently, the owner of the GandCrab ransomware has warned about the upcoming version of the trojan as a retaliation against the AhnLab’s vaccine. As per the reports, the new ransomware might include zero-day for the AhnLab v3 Lite antivirus.

But what exactly is GandCrab ransomware and how does it affect our system? In this blog, we will focus on the GandCrab ransomware analysis and its remedies.

How It Works?

Once the ransomware lands on the victim’s system, it automatically takes the victim to the GrandSoft EK page or on Rig Exploit Kit page. From here, the GandCrab ransomware controls the files of the system and lock the device.

Once the ransomware infiltrates the machine, it gathers every sensitive and personal information of the user to intimidate them. Information about passwords, username, antivirus, keyboard type, Windows version etc. is accumulated to decide the future strategy. It eliminates or disables the process currently running on the system to expose and encrypt files and folders.

Gandcrab Ransomware Analysis
Source: Bleeping computer

 

Also Read : An Insight to CoinVault Ransomware

The next target of ransomware is built-in crypto functions for creating private and public keys on the system of the victim. These keys are then sent to one of the ransomware page along with all the significant information about the victim’s machine. It is the same information that the trojan gathered from the victim’s computer and hosted it on .bit domain.

In the final stage, this ransomware starts encrypting all the documents through the public key created earlier. It adds “.GDCB” extension to every document for encryption. Once the encryption is completed, it creates a “GDCB-DECRYPT.txt” file along with a message demanding ransom from the victim for decrypting the information.

Gandcrab Ransomware Protection Tool
Source: cyberswachhtakendra

How the Ransomware Is Spreading?

As per the source, the ransomware is spreading via corrupted websites and emails and compromised advertisements. However, experts have managed to find two sources:

1. Documents and JavaScript attachments in emails

2. Use of exploit kits for Drive-by download

Payload History of GandCrab ransomware

1. GandCrab v1

The first version of this ransomware was discovered in January 2018 by a security researcher named David Montenegro. The GandCrab payload shows conventional ransomware activities, where it encrypts victim’s data with a key. The key stays unique to each victim and the owner send ransom messages along with commands to pay the amount in exchange for the key. The trojan spread like a wildfire, where the victims were asked to pay the amount in the crypto-currency DASH. Soon, they started accepting Bitcoin too.

2. GandCrab v2

As soon as the decryptor released for GandCrab v1, the next attack was launched on 5th march, 2018. The latest version of the ransomware was more powerful and the decryptor did not work for it. Also, the trojan launched a new and better extension with diverse hard coded domain. Also, the codes moved to a DLL and it started attacking the kernel-mode elements of Antivirus software.

Also, each ransom message had a version number and, each payload had another “internal version number. The payload version number was used for connecting to the C&C over the network and none of the number matched to each other

3. GandCrab v3

On April 23, 2018, an updated version of GandCrab was discovered with internal version 3.0.0. Later, on May 9, 2018 v3.0.1 version was released.

4. GandCrab v4

On July 1st, 2018, the latest version of GandCrab ransomware came into existence and on July 5th, an updated v4.1 version released. This version of the ransomware has some noteworthy features to unlock. It replaced most of the codes, performed fast encryption and then quickly vanished from the system to avoid detection.

Must Read : All You Need to Know About Spartacus Ransomware

GandCrab Ransomware Protection Tool

Adopt some good computing habits and keep updating your security software. Always keep backup of your important data to offline devices that you can restore anytime. Also ensure that you never leave your machine and system running and connected to the internet especially your desktop.

So, this was all about the Gandcrab Ransomware Protection Tool and its in-depth analysis. Keep your system safe and avoid any ransomware attack by staying alert and taking precautionary steps.