There’s a new ransomware on the loose, targeting unsuspecting victims’ computers by way of malicious downloadable PDF files. Before delving any deeper, BTCManager reminds all readers to exercise the utmost precaution while downloading PDF files from unknown senders.
What is GandCrab?
The looming threat came into the limelight after LMNTRIX, an Australian cybersecurity firm, published a report earlier in February 2018 claiming that a newly engineered ransomware dubbed “GandCrab” is being promoted on the dark web as a ransomware-as-a-service to cyber thugs. The content of the promotional campaign is in Russian, the security firm added.
If the term ransomware doesn’t ring a bell, it’s high time to investigate the security threat. While it is relatively new, it is also positioned as one of the worst forms of malware you are at risk of encountering.
Upon breaching the victim’s computer, a ransomware virus encrypts a user’s content, making it inaccessible. The only way the victim can hope to regain access to their content is by paying a hefty ransom to the perpetrators.
According to the LMNTRIX report, the GandCrab is developed in such a way that anybody can buy it online through a shady dark web marketplace. Once they purchase it, the buyer becomes a member of the extended GandCrab network. Any money made by victimizing unsuspecting users is then split between the developers and the members by a ratio of 60:40.
The members, however, have the option of increasing their shares up to 70 percent if they are able to breach a large number of computers successfully.
There are a few conditions to fulfill before the agents can get started, however. To use the ransomware to make money, members must register with the network and apply. Additionally, members are also prohibited from targeting users from the former Soviet Republic nations including the Commonwealth of Independent States (CIS).
How does GandCrab work?
The LMNTRIX report states that GandCrab makes use of RIG and GrandSoft exploit kits to spread and target computers. This technique is somewhat unique considering that said exploit kits are traditionally associated with malware such as trojans, and crypto miners.
There are no known reports of other ransomware in the past that depend on exploit kits to transmit and infect. Even more surprisingly, the exploit kit GandCrab uses was thought to have disappeared for some time.
Among other key findings, the LMNTRIX report also claims that the ransomware’s servers use a .bit domain. This information is significant given that the .bit domain is not included in the traditional ICANN authorized DNS and requires all payments to be handled using cryptocurrencies only.
Of the cryptocurrencies allegedly leveraged, Dash seems to be the preferred token of choice in this case as it offers a higher degree of anonymity compared to most other coins.
Each Dash token is equivalent to around $740, and the GandCrab ransomware demands 1.5 Dash from its victims, which translates to roughly $1,100 at press time. If the victim fails to pay the ransom within the stipulated period, the ransom price doubles.