Back to the Drawing Board: The Many Lives of GandCrab, 2018’s Biggest Ransomware Threat Yet

Were you thinking that the ransomware epidemic was somehow over?
It’s true — in recent weeks and months, the threat of malicious crypto mining has overshadowed ransomware, but don’t let that fool you — ransomware is alive and well.
Take GandCrab, for example.
GandCrab is, by all standards, the most widely distributed ransomware yet in 2018. Making rounds since January, in some ways this baddie is your typical run-of-the-mill ransomware variant. It all starts when the victim performs an action that executes the malicious code. Once the code is set into motion, the unfortunate victim’s files are encrypted and a ransom note appears on their desktop.
Pretty straightforward thus far, but this is where its simplicity ends.
What makes GandCrab so entirely unique is it’s persistence. Since January, the variant has been subject to countless iterations and advancements in how its distributed and executed. GandCrab has evolved from a simple threat in its earliest iterations to a much more formidable one, with each stage of development building on lessons learned from the previous one.
Researchers feel that the exploit is taking its cues from the agile method of software development, in which programs are developed incrementally, over very short periods of time and then deployed very fast. The speed with which programs are deployed can lead to quality and consistency issues but this isn’t seen as a problem — it’s considered an iterative process, one in which eventually, the developers will “get it right”. This is a break from the typical ransomware development process, in which developers only deploy fully ready exploits.
To illustrate, when GandCrab was first released, it had some gaping vulnerabilities of its own, like the fact that it could be decrypted without paying the fee. Word of the vulnerability got back to developers and it was pulled from distribution. A few weeks later it resurfaced, sans that particular vulnerability — and enhanced with some new bells and whistles.
And so it goes with GandCrab. After a wave of infections, the exploit goes back to the drawing board where its developers tweak it to see where they can “do better”.  As part of its ever-adjusting development strategy, in just the last few months, GandCrab has tested out the following delivery methods:
Lots and lots of exploit kits: Okay, first let’s address what an exploit kit is – it’s a toolkit used by attackers to locate and attack vulnerabilities on computers and networks, generally with the end goal of distributing malware and the like. The typical ransomware exploit uses one exploit kit. But not our buddy GandCrab; thus far, it has used at least three different exploit kits: RIG, GrandSoft and Magnitude, which previously was only used to push its own malware.
Phishing emails: Posing as a shipment notice from an online order, when the recipient clicks the ZIP file attachment, the malicious payload is executed.
Browser hijackers: Pretending to be a useful browser extension, the exploit redirects users to malicious sites where the malware is downloaded onto the user’s device.
Insecure (yet legitimate) websites: GandCrab has been spotted using outdated WordPress websites harboring dangerous vulnerabilities to host its ransomware. In case you were wondering, this is a direct result of WordPress DIY’ers, who don’t realize the grave importance of keeping their sites updated. Once these websites become outdated, they are super-easy to exploit; website creators might as well hang up a sign that says “Attackers, C’mon In!”.
Affiliate programs: As if all this weren’t enough, GandCrab’s creators are selling their wares to other wanna-be ransomware distributors. “Customers” deploy the exploit and get between 60-70 percent of all earnings, as well as end-to-end customer support.
In yet another clever deviation from the norm, the program demands for payment to be made in Dash, rather than BitCoin. Dash, a portmanteau of the words Digital and Cash, is a crypto currency that’s growing in popularity because it’s considered to be more anonymous and privacy-centered than BitCoin. By extension, it’s also harder to trace payments made in Dash, so crimes committed using the cryptocurrency are less likely to be solved.
Clearly this motley collection of tactics is working — So far, GandCrab has netted $600,000 — and there are still no leads on who’s behind it. Whoever’s running it though seems to be bent on evading detection at all costs.
Preventing GandCrab (and all other ransomware, too)
So what does all this mean for you?
Well for one thing, remember that the threat of ransomware is still very much a problem — and it will be for some time. Therefore, it’s worthwhile to understand that there are things you can do to minimize your chances of getting “ransomwared”, namely:

  • Watch out for phishing emails and don’t click links or attachments in emails unless you’re certain they are legitamate.


  • Keep your systems patched and updated – exploit kits look for vulnerabilities in unpatched software and once they find them, it becomes incredibly easy to infiltrate your device.


  • Back up your files on a regular basis – this way, if you do wind up infected, your data will remain intact.


  • Avoid installing unnecessary browser ad-ons – at best, they can become outdated and vulnerable to attacks. At worst, they can be outright malware.

Perhaps the scariest lesson to take away is this: Ransomware, like all digital threats, is constantly evolving — The new methods used in this exploit are likely a harbinger of what’s to come — which means we can expect stealthier variants which are more difficult to shut down and harder to trace. If GandCrab represents the future of ransomware, this is a very scary prospect indeed.