Researchers investigating the newly discovered GandCrab ransomware have learned how its authors are marketing the malicious program as a ransomware-as-a-service package to potential buyers on the dark web.
On Friday, Australian cybersecurity firm LMNTRIX shared with SC Media its findings, after uncovering a Russian-language advertisement for GandCrab — an unusual ransomware in that it uses the RIG and GrandSoft exploit kits as a distribution mechanism, demands payment using the cryptocurrency Dash, and employs a server hosted on a .bit domain.
According to LMNTRIX, the ad offers a partner program, whereby members split GandCrab’s profits with the developers 60:40. Additionally, large partners are given the opportunity to increase their share to 70 percent. The authors also offer technical support and updates to buyers.
However, there are caveats: Partners must not target countries in the former Soviet Republics that now comprise the Commonwealth of Independent States, or their accounts will be deleted. Furthermore,”Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available,” LMNTRIX explained in an email to SC Media.
According to LMNTRIX’s English translation of the ad, the authors also tout the ability to manually configure ransom size, individual bots and encryption masks; a “convenient admin panel” located on the TOR network; and the ability to access a victim’s page from a regular web browser, “which significantly increases the number of payments.” The ad further states that if the victim does not pay on time, the ransom amount automatically doubles.
As an additional selling point, GandCrab’s authors also posted an instructional video demonstrating how the ransomware is able to avoid antivirus detection.