In January, a new ransomware by the name of GandCrab began making waves in the InfoSec community. According to in-depth research by Check Point, it was identified as being of likely Russian origin and to be targeting Scandinavian and English-speaking nations. The ransomware was spread as a result of multiple attack methods like email spam and exploit kits. In its first incarnation, the GandCrab ransomware infected over 50,000 victims and collected roughly $300,000-$600,000 in payouts.
The attacks did not go unnoticed by the authorities, and Romanian police and Europol seized the command-and-control servers that GandCrab authors relied on. As a result, RSA decryption keys were made available to victims and it seemed like it was game over for this ransomware. This turned out, however, to be far from the case as a new GandCrab version emerged not long after the hostile takeover of the C&C servers.
As Check Point researchers have discovered, GandCrab in its second version is still able to stay ahead of white hats and malware researchers. The research post linked to earlier in this article explains it as follows:
Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile.
The GandCrab ransomware authors do not actually take part in campaigns. Instead, they rent their product on the Dark Web, so they can devote all of their attention to improving the actual ransomware. Threatpost notes in their own report on GandCrab that the early version of the ransomware was “full of bugs and mistakes from a developer’s standpoint.” This has been remedied and will continue to be remedied, as long as the authors of GandCrab have a steady source of users to deploy their product.
GandCrab, at least for now, is here to stay and all cybersecurity professionals should continue to monitor it.
Photo credit: Wikimedia