Table of Contents
Table of ContentsHow Does It Work?How the Ransomware Is Spreading?Payload History of GandCrab ransomwareGandCrab Ransomware Protection Tool
Following the footsteps of ransomware like Petya and WannaCry, GandCrab ransomware created havoc in the first months of 2018 as money-snatching crab loitering online. With the agenda of joining the forum of illegal hacking, GandCrab ransomware became one of the widely-distributed trojans.
Later, the South Korean security vendor AhnLab released a vaccine for the same and saved the victims from paying millions. Recently, the owner of the GandCrab ransomware has warned about the upcoming version of the trojan as a retaliation against the AhnLab’s vaccine. As per the reports, the new ransomware might include zero-day for the AhnLab v3 Lite antivirus.
But what exactly is GandCrab ransomware and how does it affect our system? In this blog, we will focus on the GandCrab ransomware analysis and its remedies.
How Does It Work?
Once the ransomware lands on the victim’s system, it automatically takes the victim to the GrandSoft EK page or on Rig Exploit Kit page. From here, the GandCrab ransomware controls the files of the system and lock the device.
Once the ransomware infiltrates the machine, it gathers every sensitive and personal information of the user to intimidate them. Information about passwords, username, antivirus, keyboard type, Windows version, etc. is accumulated to decide the future strategy. It eliminates or disables the process currently running on the system to expose and encrypt files and folders.
Also Read : An Insight to CoinVault Ransomware
The next target of ransomware is built-in crypto functions for creating private and public keys on the system of the victim. These keys are then sent to one of the ransomware page along with all the significant information about the victim’s machine. It is the same information that the trojan gathered from the victim’s computer and hosted it on .bit domain.
In the final stage, this ransomware starts encrypting all the documents through the public key created earlier. It adds “.GDCB” extension to every document for encryption. Once the encryption is completed, it creates a “GDCB-DECRYPT.txt” file along with a message demanding ransom from the victim for decrypting the information.
How the Ransomware Is Spreading?
As per the source, the ransomware is spreading via corrupted websites and emails and compromised advertisements. However, experts have managed to find two sources:
2. Use of exploit kits for Drive-by download
Payload History of GandCrab ransomware
1. GandCrab v1
The first version of this ransomware was discovered in January 2018 by a security researcher named David Montenegro. The GandCrab payload shows conventional ransomware activities, where it encrypts the victim’s data with a key. The key stays unique to each victim and the owner sends ransom messages along with commands to pay the amount in exchange for the key. The trojan spread like a wildfire, where the victims were asked to pay the amount in the crypto-currency DASH. Soon, they started accepting Bitcoin too.
2. GandCrab v2
As soon as the decryptor released for GandCrab v1, the next attack was launched on 5th March 2018. The latest version of the ransomware was more powerful and the decryptor did not work for it. Also, the trojan launched a new and better extension with the diverse hardcoded domain. Also, the codes moved to a DLL and it started attacking the kernel-mode elements of Antivirus software.
Also, each ransom message had a version number and, each payload had another “internal version number. The payload version number was used for connecting to the C&C over the network and none of the numbers matched to each other
3. GandCrab v3
On April 23, 2018, an updated version of GandCrab was discovered with internal version 3.0.0. Later, on May 9, 2018, v3.0.1 version was released.
4. GandCrab v4
On July 1st, 2018, the latest version of GandCrab ransomware came into existence and on July 5th, an updated v4.1 version released. This version of the ransomware has some noteworthy features to unlock. It replaced most of the codes, performed fast encryption and then quickly vanished from the system to avoid detection.
Must Read : All You Need to Know About Spartacus Ransomware
GandCrab Ransomware Protection Tool
Adopt some good computing habits and keep updating your security software. Always keep backup of your important data to offline devices that you can restore anytime. Also, ensure that you never leave your machine and system running and connected to the internet especially your desktop.
So, this was all about the GandCrab Ransomware Protection Tool and its in-depth analysis. Keep your system safe and avoid any ransomware attack by staying alert and taking precautionary steps.