GandCrab ransomware returns in new ‘improved’ version

In January, a new ransomware by the name of GandCrab began making waves in the InfoSec community. According to in-depth research by Check Point, it was identified as being of likely Russian origin and to be targeting Scandinavian and English-speaking nations. The ransomware was spread as a result of multiple attack methods like email spam and exploit kits. In its first incarnation, the GandCrab ransomware infected over 50,000 victims and collected roughly $300,000-$600,000 in payouts.

The attacks did not go unnoticed by the authorities, and Romanian police and Europol seized the command-and-control servers that GandCrab authors relied on. As a result, RSA decryption keys were made available to victims and it seemed like it was game over for this ransomware. This turned out, however, to be far from the case as a new GandCrab version emerged not long after the hostile takeover of the C&C servers.

As Check Point researchers have discovered, GandCrab in its second version is still able to stay ahead of white hats and malware researchers. The research post linked to earlier in this article explains it as follows:

Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile.

The GandCrab ransomware authors do not actually take part in campaigns. Instead, they rent their product on the Dark Web, so they can devote all of their attention to improving the actual ransomware. Threatpost notes in their own report on GandCrab that the early version of the ransomware was “full of bugs and mistakes from a developer’s standpoint.” This has been remedied and will continue to be remedied, as long as the authors of GandCrab have a steady source of users to deploy their product.

GandCrab, at least for now, is here to stay and all cybersecurity professionals should continue to monitor it.

Photo credit: Wikimedia

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Using PowerShell to assess Active Directory health

When using PowerShell as a tool for monitoring Active Directory health, you are limited only by your imagination. Here’s some…

47 mins ago

Microsoft Authentication Libraries now generally available

Microsoft Authentication Libraries, available for Android, iOS, and macOS, help developers integrate authentication into a diverse set of applications.

5 hours ago

Checkrain fake iOS jailbreak site a menace to iPhone users

iPhone users looking for help in jailbreaking their devices will find trouble if they head to a website named checkrain,…

8 hours ago

Key to success: Tracking down and unlocking locked files in Windows

Locked files in Windows can be a maddening experience. Thankfully, it is usually relatively easy to get a locked file…

1 day ago

‘Made By Google’ 2019: Pixel 4 and Pixel 4 XL are finally official

The release of Google’s much-awaited new smartphones is official. The tech giant has unveiled the Pixel 4 and Pixel 4…

1 day ago

COBIT 2019: An effective governance framework for IT pros

Every business with IT as part of its foundation needs a comprehensive governance strategy. This is where COBIT 2019 comes…

1 day ago