GandCrab ransomware returns in new ‘improved’ version

In January, a new ransomware by the name of GandCrab began making waves in the InfoSec community. According to in-depth research by Check Point, it was identified as being of likely Russian origin and to be targeting Scandinavian and English-speaking nations. The ransomware was spread as a result of multiple attack methods like email spam and exploit kits. In its first incarnation, the GandCrab ransomware infected over 50,000 victims and collected roughly $300,000-$600,000 in payouts.

The attacks did not go unnoticed by the authorities, and Romanian police and Europol seized the command-and-control servers that GandCrab authors relied on. As a result, RSA decryption keys were made available to victims and it seemed like it was game over for this ransomware. This turned out, however, to be far from the case as a new GandCrab version emerged not long after the hostile takeover of the C&C servers.

As Check Point researchers have discovered, GandCrab in its second version is still able to stay ahead of white hats and malware researchers. The research post linked to earlier in this article explains it as follows:

Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile.

The GandCrab ransomware authors do not actually take part in campaigns. Instead, they rent their product on the Dark Web, so they can devote all of their attention to improving the actual ransomware. Threatpost notes in their own report on GandCrab that the early version of the ransomware was “full of bugs and mistakes from a developer’s standpoint.” This has been remedied and will continue to be remedied, as long as the authors of GandCrab have a steady source of users to deploy their product.

GandCrab, at least for now, is here to stay and all cybersecurity professionals should continue to monitor it.

Photo credit: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Microsoft Build 2020: All major announcements for developers

Microsoft Build 2020 included several announcements aimed at developers and the IT community. Here are…

2 hours ago

Dell unveils new PCs optimized for remote work

With remote work here to stay, companies are looking to supply employees with devices to…

5 hours ago

Using Azure Active Directory Identity Protection to boost your security

Using Azure Active Directory Identity Protection will boost your security. This step-by-step guide shows you…

23 hours ago

Review: Kemp Virtual LoadMaster load balancer

With many businesses requiring employees to work remotely, Kemp’s Virtual LoadMaster can help relieve many…

1 day ago

Microsoft warns of COVID-19-related spear-phishing campaign

COVID-19 is not going away anytime soon, and as Microsoft researchers have discovered, neither are…

1 day ago

Ansible: Introduction to this open-source automation platform

In this first of several articles on Ansible, we give you a high-level overview of…

2 days ago