GandCrab Ransomware
4 min read

GandCrab: The New Dash Ransomware that’s on the Loose

By Editorial Team

Last year seemed like the year for Ransomware. We saw the proliferation of Wannacry, Bad Rabbit and Petya to name a few. These attacks paralysed computers across the board from businesses to hospitals.

Now, it seems as if the ransomware scourge is still alive and strong in 2018.

A new type of Ransomware called “GandCrab” is making the rounds and inflicting harm. This strain, which is of Russian origin is also interesting in the sense that it is one of the few “ransomware as a service” types.

Another interesting thing about GandCrab is that it uses the DASH cryptocurrency instead of Bitcoin. This is probably because of the difficulty that comes with tracking these payments.

Let’s take a deeper look into the latest threat and what you can do to avoid it.

What is GandCrab?

GandCrab is Ransomware that is spread through two exploit kits, namely RIG EK and GrandSoft EK. It was first discovered earlier this year on the 26th of January. Below is the tweet by the researcher in question.

The Ransomware has since gained much more attention in the cyber security circles and has had more research done on it. One of these firms was LMNTRIX which is based in Australia. They also delved into the darkweb forums to determine how the ransomware is distributed.

This operates as one of the few “ransomware as a service” attacks. Essentially, the attackers will operate on an affiliate structure where the developers will get a percentage of the cut from the affiliates. The developers of the ransomware offer unlimited fixes and tech support for the code.

They also offer special larger partners the opportunity to get a better cut from the typical 60:40 to the a more lucrative 70:30. Such is the nature of this criminal offer that they have even released a youtube video that takes the partners through setting the ransomware up.

There are few restrictions on where the users can operate however they are not allowed to target citizens of countries in the former Soviet Union. This is most likely as a result of the opertators and the servers being located in these countries.

How Does it Operate?

The GandCrab ransomware uses the well-known Rig and Grandsoft exploit kits. These have been known to deliver Malware in the past through compromised websites. They have only once being used before for a Malware payload.

It has also recently being reported by MalwareBytes Labs that the GandCrab payload is also being distributed through EITest and Necurs mail spam. The latter will request that the user download a pdf invoice for their attention.

GandCrab Malicious Email pdf
Email with Malicious pdf. Source: bleepingcomputer.com

The moment that the user downloads the pdf, they will be required to complete a captcha in the pdf file. Once that is done, it will create a malicious word file that will require the user to activate macros. If the user does this, it will trigger a macro that will execute a powershell script.

This will then launch the GandCrab ransomware and start connecting to the command and control servers (which use .bit domains). It will encrypt the users files and they will be given an .onion url to which they can access the ransom page. Below is the page in question which is asking for 1.5 DASH.

GandCrab Ransomware Note
Ransome note screen. Source: malwarebytes.com

Like one would see with similar ransomware campaigns, the price of the decryption will increase after a certain period of time. This is done in order to induce urgency on the part of the victims. At current market prices, the decryption would cost $1,050. This is considerably more than the prices in previous attacks that have demanded in Bitcoin.

DASH has implemented a number of privacy enhancing protocols that try to hide the transactions in question. For example, they use something called Darksend mixing which will mix all of your coins with others on the blockchain. This could help when it comes to authorities tracking transactions.

Lessons to be Learned

It probably goes without saying that you should not be downloading pdf documents from people that you are not familiar with. This should be the tell-tale sign of a malicious exploit that someone is trying to get on your PC.

With respect to the other exploit vectors that GandCrab uses, you should avoid websites that you have been unknowingly redirected to. Try to avoid clicking on links to suspicious ads.

Lastly, and most importantly, installing effective antivirus programs would help to identify the exploits. Often, the user is the weakest link in a ransomware attack.

Featured Image via Fotolia & Dash

Editors at large. Posting the latest news, reviews and analysis to hit the blockchain.
View all posts by Editorial Team -> Best Crypto Deals ->

Latest Posts

Huobi Global Review
Huobi Global Review 2022: Good Exchange with DEEP Liquidity
Huobi Global Review

Huobi Global Review 2022: Good Exchange with DEEP Liquidity

June 29, 2022 37 min read
FTX vs FTX US Review
FTX vs FTX US: Which one is BEST for You?
FTX vs FTX US Review

FTX vs FTX US: Which one is BEST for You?

June 27, 2022 14 min read
Bancor Review
Bancor Review: Impermanent Loss Protector?
Bancor Review

Bancor Review: Impermanent Loss Protector?

June 22, 2022 15 min read
Bridge Mutual Review
Bridge Mutual: Insurance for your Crypto
Bridge Mutual Review

Bridge Mutual: Insurance for your Crypto

June 22nd, 2022 22 min read
Serum Review
Serum Review: Solana’s One-Stop DeFi Toolbelt
Serum Review

Serum Review: Solana’s One-Stop DeFi Toolbelt

June 16, 2022 17 min read
Raydium Review: Solana’s DeFi Liquidity Mammoth

Raydium Review: Solana’s DeFi Liquidity Mammoth

June 11, 2022 17 min read
crypto com
Crypto.com Exchange Review 2022: A World-Class Crypto Exchange
crypto com

Crypto.com Exchange Review 2022: A World-Class Crypto Exchange

June 14th, 2022 30 min read

Related Posts

Huobi Global Review
Huobi Global Review 2022: Good Exchange with DEEP Liquidity
Huobi Global Review

Huobi Global Review 2022: Good Exchange with DEEP Liquidity

June 29, 2022 37 min read
FTX vs FTX US Review
FTX vs FTX US: Which one is BEST for You?
FTX vs FTX US Review

FTX vs FTX US: Which one is BEST for You?

June 27, 2022 14 min read
Bancor Review
Bancor Review: Impermanent Loss Protector?
Bancor Review

Bancor Review: Impermanent Loss Protector?

June 22, 2022 15 min read
Bridge Mutual Review
Bridge Mutual: Insurance for your Crypto
Bridge Mutual Review

Bridge Mutual: Insurance for your Crypto

June 22nd, 2022 22 min read
Serum Review
Serum Review: Solana’s One-Stop DeFi Toolbelt
Serum Review

Serum Review: Solana’s One-Stop DeFi Toolbelt

June 16, 2022 17 min read
Raydium Review: Solana’s DeFi Liquidity Mammoth

Raydium Review: Solana’s DeFi Liquidity Mammoth

June 11, 2022 17 min read
Top Desktop Crypto Wallets
The 8 Best Desktop Wallets in 2022
Top Desktop Crypto Wallets

The 8 Best Desktop Wallets in 2022

May 30, 2022 16 min read