An Australian Cybersecurity firm, LMNTRIX on Friday released its report on the finding after an investigation that uncovered a newly engineered GandCrab Ransomware nicknamed ‘GandCrabransomware’. The malicious program is being marketed and advertised in Russian on the dark web as a ransomware-as-a-service package to potential buyers.
From the LMNTRIX report, this unusual ransomware uses RIG and GrandSoft exploit kits as the mechanism of distribution. This is a weird finding since exploit kits are commonly known to deliver trojans and cryptominers, RATs, and other downloaders like the Ramnit. However, not known to deliver ransomware programs as explained by Malwarebytes in a blog post on 30th January this year. GrandSoft being involved in this however, is more astonishing, since this EK had been thought to disappear.
LMNTRIX also found out that GandCrad’s servers are hosted on a .bit domain which is outside the common ICANN authorized Domain Naming System and demands payments exclusively through cryptocurrency, particularly Dash, which offer greater anonymity and less transaction fees as compared to bitcoin. A single Dash equals to $400. The ransomware asks for 1.5 Dash that converts to over $600.
The GandCrab Ransomware Comes with an addition instructional video illustrating stepwise on how the program is able to automatically shun detection by most antiviruses and also offers software updates and technical support to their customers.
According to the LMNTRIX research report, the profit made from the GandCrab ransomware is shared between partners who are the members offered with the malicious software, and the developers by a ratio of 60:40, even though, members have a chance of increasing their share up to 70 percent depending on the number of sales they make. However, the partnership is also governed by rules and there are provisions that have been put in place. The partners must register and apply to use the GandCrab ransomware; each partner is limited to a given number of “seats” available for him; partners should avoid by all means targeting any country in the former Soviet Republics consisting of commonwealth independent states among others dos and don’ts…
From the English version of the advert, any victim who fails to pay ransom within a given period of time, the ransom amount is then doubled. The developers and authors of the ransomware have the ability to access the victim’s page through a standard web browser and configure bots and most encryptions of individuals, ransom size, and an expedient admin control panel which is located on the TOR network.
The ransomware has the ability to gather information from the victim’s PC such as system language, operating system version, active fixed drivers, IP address, computer name, and presence or absence of an antivirus. It’s also able to read the keyboard layout for the Russian ones, as well as, maybe avoid Russian machines. All this information is thereafter sent to a control and command server.
GandCrab is said to use RSA algorithm to encrypt targeted files and in the process generating a key to the client. However, from the research report is possible to unlock the encrypted files by pulling the key from the memory.