The ransomware ecosystem has become fairly dull over time. It is mostly inhabited by lookalike strains that routinely stick with a uniform operational pattern: infect, encrypt, and demand Bitcoin for reverting the damage. However, the GandCrab specimen that surfaced in late January 2018 has managed to exit this well-trodden paradigm in a way.
It uses several different exploit kits to spread. One of them called GrandSoft had been considered extinct until spotted delivering this ransomware’s payload. Another one, RIG EK, hadn’t been involved in distributing blackmail malware for quite some time, and now it’s back in the game.
The second wave of GDCB GandCrab propagation relies on malicious spam, where booby-trapped email attachments are camouflaged as receipts or invoices and come in the form of 7z archives or pseudo PDF documents. When opened, the file surreptitiously invokes a number of commands to fire up a PowerShell script that completes the contamination chain. Interestingly, the malspam vector only targets 64-bit editions of Windows.
When up and running in a system, GandCrab reaches out to its Command & Control server and receives a public encryption key from it. Then, it scans the computer’s hard drive partitions, removable media and network shares for common file types. All the objects found during this traversal get encrypted with asymmetric RSA cipher.
In addition to the cryptographic impact, the ransomware amends filenames by adding the .GDCB extension to them. It also drops a ransom how-to named GDCB-DECRYPT.txt, which provides links to a Tor page named GandCrab Decryptor. When on that page, the victim is instructed to pay 1.54 Dash (about $1,200) for the RSA private key. The use of Dash cryptocurrency instead of Bitcoin or Monero is another offbeat trait of this sample.
Unfortunately, it is impossible to crack the crypto utilized by GandCrab at this point. Whereas some forensic techniques of data recovery are worthwhile, it is strongly recommended to focus on prevention. Do not download suspicious email attachments and be sure to keep the operating system and third-party software up to date.