GandCrab - The Ransomware That Won’t Give Up

JOE CISO on June 10, 2018 | 1578

Ransomware got you feeling a bit, well, crabby?

Then meet GandCrab.

Making its rounds since January, GandCrab is the latest variant to join the “Who's Who” list of prominent ransomware. Though all ransomware is nasty, not all have the staying power of famous variants like Cerber or Cryptowall.

For example, remember 2017’s Popcorn Time or Jigsaw? Probably not (unless you're a cyber security junkie, in which case, good for you!). These variants, nasty as they were, faded into exploit oblivion once their creators had collected a tidy sum of profits.

This is what makes GandCrab unique - it's nothing if not extremely persistent.


The Evolution of a Threat

Since it was first noted by researchers at the beginning of the year, the exploit has gotten more than a few facelifts and uses many different modes of distribution. Typically, ransomware distributors stick with one mode, perhaps switching it up after a few months of a good run. For example, the notorious Locky ransomware generally uses phishing emails to spread itself and the 2017 nightmare Wannacry spread via tools which looked for public facing SMB ports containing certain vulnerabilities.

But this baddie seems to be determined to get its, ahem — claws — into everything.

According to researchers at Cisco, GandCrab was first noted spreading via phishing emails, disguised as online purchase summaries. Emails contained an attached file with a ZIP file that, when clicked on, executed the malicious payload. At the same time, the variant was spotted using VBSrcripts files in place of the ZIP files. Though this isn't a massive difference in delivery method, it’s a testament to the creator’s persistence.

Just a few days later, GandCrab began being distributed via vulnerabilities in legitimate, but highly insecure websites. (Scary side note for any WordPress DIYers out there: Make sure you keep your websites patched and updated to the latest version of the platform if you don’t want your site to be next!)

The malware has also been caught spreading via the GrandSoft and RIG exploit kits, and most recently was spotted using the Magnitude exploit kit. All these different methods of distribution have made GandCrab one of the most widely distributed ransomware baddies out there – and certainly the most talked about thus far in 2018.

Apart from all these outward iterations, a whole lot of backend aspects of Gandcrab have also been evolving. The “you’ve been ransomwared” note has changed many times, along with the appearance of the home page. If you know anything about software development approaches, it seems clear that GandCrab’s developers have ripped a page straight out of the Agile playbook, tweaking and deploying frequently – to disastrous effect.

Some things have not changed, though. In a departure from the typical ransomware scheme, GandCrab uses Dash Cryptocurrency, in addition to BitCoin, for payment. Dash, which is a mashup of the words Digital Cash, is known for being the most privacy-focused cryptocurrency today. This makes it far more difficult to track where payments are sent to. Though GandCrab appears to be the first ransomware to use Dash, it’s a safe bet that it won't be the last.


Browser Isolation and Ransomware

Traditional antivirus tools have little success defending against ransomware because they rely on signatures - or known variants. Even next-gen antivirus needs to be able to recognize a threat before it can block it. When it comes to ransomware, attackers use all kinds of obfuscation techniques to help their ‘wares fly under the radar of whatever antivirus is installed on the network. If it’s not recognized… it goes unblocked.

Isolating your browser is the key to effectively blocking web-borne ransomware. Instead of relying on the ability recognize and detect an exploit, this technology ensures that all active web code is blocked by default. Instead, browsing sessions are rendered remotely in a disposable container that is “thrown out” at the end of each session. This ensures that ransomware and any other malicious elements are disposed of – regardless of how well they are disguised – and all that reaches the endpoint is a clean, interactive stream of content. Considering that every single dirty delivery method GandCrab uses ultimately sneaks in via the web, remote browser isolation is the best way to ensure that nothing can sink its claws into your network.

While GandCrab may be ever-changing, it’s painfully clear that this is one threat that's going to be around for a while. Make sure your organization has the tools it needs to defend itself.

Author | 21 Blog Posts


Joe CISO is the information security professional responsible for protecting the organization from all cyber threats, including ransomware, dirve-by donwnloads and zero-day exploits. | Ericom Software

Recommended Articles