How would you like to make a quarter of a billion dollars in just a few months? No problem. Just get involved with the nice folks who run GandCrab Ransomware. They have combined ransomware with botnets to target any business or organization holding large amounts of valuable data. In fact, GandCrab has been so effective in bilking enterprises out of money that it would qualify for the Malware of the Year Award, if there was such an award.
Should you be worried? Yes, especially if you are a corporation, a university, or a healthcare organization. In fact, any organization which would be devastated by losing its data, files, or sensitive information should be worried. That said, you are not helpless.
First of all, let’s look at how GandCrab gets control of your data. They use a number of vectors and, no doubt, more will be forthcoming. After all, with so much money in their coffers, the developers of GandCrab can afford to pay for the best people to continuously upgrade their attacks. It is now upgrading its attacks almost daily in a fight against law enforcement agencies and antivirus developers who are working just as hard to make GandCrab removal tools.
Some of the attack vectors used by GandCrab are of the tried-and-true variety. These include spam emails with links to infected sites or phishing emails with Word or PDF documents attached. Recently, they’ve been packaging the malware with legitimate apps, often those that assist with remote access to a device. However, whatever their method of attack, you cannot argue with their success. Since July, they have claimed over half a million victims.
There are a number of reasons why GandCrab has managed to make so much money. In the past, ransomware attackers asked for modest ransoms. They wanted to make it less expensive for the victim to pay them than pay cybersecurity experts to decrypt their files. When GandCrab gets a foothold on a computer or network, the first thing it does is scan the files to determine how much important data is stored there. It doesn’t matter to them if the files are protected with passwords. In fact, this just shows them that something important must be on the infected device. They adjust their ransom payment based on how much data that they can seize. According to Bitdefender, ransoms range from $600 to $700,000. True, about half of all traditional ransomware victims simply agree to pay the ransom, but my guess is that when ransoms begin to reach the $100,000 range, these enterprises may want to consider hiring some experts to work on the problem. It simply may be more economical to do so.
One result of GandCrab’s financial success is their creation of a ransomware organization. They first teamed up with botnet operators. The botnets helped deliver infected spam or installed GandCrab malware on infection-prepared devices. The botnet owners receive a percentage of all ransom payments. Recently, the malware has been teaming with NTCrypt which gets the malware installed without being detected by antivirus programs. This results in an increase in infection rates.
Attackers have also been using the Rigs Exploit Kit to identify vulnerable computers and networks. In addition, this exploit kit has software which enables it to detect and bypass any sandboxing which may be used to protect sensitive data. The makers of the malware are now offering a ransomware-as-a-service affiliation, in which associates can make money off the exploits for a fee. According to one source, there are at least 100 affiliates using the GandCrab exploit.
How do you know if you are a victim?
This may not be immediately obvious. As mentioned above, the malware first assesses the files on the compromised device to determine the value of the information stored there. Your first indication that you may be compromised is that certain programs may close unexpectedly. It especially looks for any virtual machine, sandboxing, or anti-malware programs and begins working on shutting them down or altering their registry keys. According to FireEye, “it can detect almost all well-known VM software, including Xen, QEMU, VMWare, Virtualbox, Hyper-V, and so on.” When it feels the defenses have been neutralized, it will connect to a C&C address.
Eventually, the victim will realize something is not quite right, by then, however, it is too late. They will receive a personalized message that will look like the following.
You will also receive the following text note.
All the files are encrypted with the same extension. That extension is now randomized for each individual attack so that software decryption tools cannot readily decrypt the files. As you can see in the note, the victim is directed to install Tor and use it to retrieve the encrypted files. Visiting the Tor site will give the victim this interface. One file can be decrypted for free to show that these attackers really control all of your files.
The victim will then be lead to the following page which will tell them how and how much to pay.
What can you do if you’re a victim?
So far, law enforcement agencies and private cybersecurity firms have been able to keep up with the evolution of GandCrab. Bitdefender has led the way in this regard with its free GandCrab removal tool, which looks like this.
(Important note: Don’t delete the ransom notification files or do anything at all with the encrypted files as this information is needed for the removal tool to be effective.)
Sadly, 24 hours after Bitdefender released the tool to remove GandCrab v5.0,4, the developers of GandCrab released GandCrab v5.0.5. Expect Bitdefender to come up with a new removal tool shortly as the war goes on.
If you have a version of GandCrab that currently can’t be removed, Bitdefender gives the following advice.
Affiliates using the malware may come up with novel ideas that may make the malware even more insidious than it already is. It is just a matter of time before the malware infects a major corporation or brings down part of the infrastructure. Law enforcement is already aware of this possibility which is why they are so active in trying to take it down. If you don’t remember, the San Francisco Municipal Transportation Agency (MTA) was brought down by ransomware two years ago, forcing them to give customers free rides. And don’t forget that the city of Atlanta was crippled by a ransomware attack in March. The same will happen again and, this time, GandCrab will be behind it.