GandCrab

GandCrab is an encryption Trojan that has been known since the beginning of 2018. At the end of May 2019, the Trojan's developers announced in the hacker forum Exploit.it that they would end support for GandCrab at the end of June 2019. According to her, the victims of the Trojan paid more than two billion US dollars in ransom. The developers would have made $ 2.5 million a week, about 150 million a year. The money was invested in various legal projects.

GandCrab had a 40% share of the total ransomware market at times. There were always new versions that were installed in different ways, for example via e-mail attachments or vulnerabilities in software systems .

history

GandCrab was first described by IT security expert David Montenegro at the end of January 2018. The number of victims rose very quickly. Ransom was initially demanded in the crypto currency Dash , and Bitcoin was added later . At the end of February 2018 there was a decryption program for GandCrab v1, a joint effort between the Romanian police, Bitdefender and Europol .

At the beginning of March 2018, GandCrab v2 was identified, which was immune to the decryption program and contained a number of extensions and improvements. Version 3 was discovered on April 23, 2018, and version 4 on July 1, 2018.

Version 5 was announced on September 27, 2018. Version 5.2 appeared on the market in February 2019.

At the end of May 2019, the developers of GandCrab announced on a much-used hacker forum that they would be closing their online portal at the end of June 2019. The developers said GandCrab had raised over $ 2 billion, giving the developers $ 2.5 million a week or about $ 150 million a year invested in various legal projects. They have proven that doing evil does not lead to punishment ( We have proved that by doing evil deeds, retribution does not come ).

The numbers given by the developers have been questioned. It is believed that victims should be encouraged to pay the ransom quickly.

Business model

GandCrab was sold as Ransomware-as-a-Service (RaaS). The customer who wanted to use the Trojan for blackmail bought a service that could be carried out with just a few clicks .

The customer purchased a tailor-made version of the Trojan on the developer's online portal in order to then use it with the desired group of victims. A portion of the extorted ransom went to the developers.

Transmission routes

GandCrab used different distribution channels. Often were JavaScript and Doc ( VBA ) Dropper used mostly as e-mail attachments ( spam arrived) the victim and then nachluden the Trojans. Another way of spreading was exploit kits (e.g. RIG, GrandSoft, Fallout) that were activated via disguised links, mostly on infected websites, and exploited browser or Flash vulnerabilities.

Working method

In the first versions, GandCrab contacted its C&C server to do the file encryption. Version 4 could also perform the encryption without a connection to the server. Version 4 used Salsa20 for encryption, compared to RSA-2048 in earlier versions.

GandCrab checked whether the infected computer was located in a country where Russian is spoken (e.g. Russia , Ukraine , Belarus, etc.); in this case the Trojan did not perform any encryption.

Individual evidence

↑ Dennis Schirrmacher: Blackmail Trojan GandCrab is apparently going into retirement . Heise online , June 3, 2019
↑ The GandCrab ransomware is back and shows its romantic side . Kaspersky Daily, March 8, 2019
↑ ^a ^b ^c ^d ^e Tamas Boczan: The Evolution of GandCrab Ransomware . VMRay.com, June 5, 2018 (English)
↑ ^a ^b ^c Sidarth Trisal: GandCrab: The tale of the ever-evolving ransomware . cyware.com, May 4, 2019 (English)
↑ ^a ^b Alexandre Mundo and Thomas Roccia: Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation . McAfee: Securing Tomorrow Today, October 10, 2018
↑ ^a ^b Catalin Cimpanu: GandCrab ransomware operation says it's shutting down . Zdnet.com, June 1, 2019 (English)
↑ ^a ^b # 1261998: GandCrab RaaS service to shut down after gaining $ 2 billion in profits . Brica.de, June 3, 2019 (English)
^ ^A ^b ^c Joie Salvio: GandCrab V4.0 Analysis: New Shell, Same Old Menace . Fortinet , July 9, 2018 (English)

[schirrmacher-1] Dennis Schirrmacher: Blackmail Trojan GandCrab is apparently going into retirement . Heise online , June 3, 2019

[kaspersky-2] The GandCrab ransomware is back and shows its romantic side . Kaspersky Daily, March 8, 2019

[bogzan-3] Tamas Boczan: The Evolution of GandCrab Ransomware . VMRay.com, June 5, 2018 (English)

[trisal-4] Sidarth Trisal: GandCrab: The tale of the ever-evolving ransomware . cyware.com, May 4, 2019 (English)

[mundoroccia-5] Alexandre Mundo and Thomas Roccia: Rapidly Evolving Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation . McAfee: Securing Tomorrow Today, October 10, 2018

[cimpanu-6] Catalin Cimpanu: GandCrab ransomware operation says it's shutting down . Zdnet.com, June 1, 2019 (English)

[brica-7] # 1261998: GandCrab RaaS service to shut down after gaining $ 2 billion in profits . Brica.de, June 3, 2019 (English)

[salvio-8] A ^b ^c Joie Salvio: GandCrab V4.0 Analysis: New Shell, Same Old Menace . Fortinet , July 9, 2018 (English)