Breaking from typical ransomware distribution tactics, the attackers behind the new malicious cryptor GandCrab are relying on a pair of exploit kits – RIG EK and GrandSoft EK – to infect unwitting victims.
The finding is unusual, as exploit kits are more typically used to deliver downloaders, RATs, cryptominers and other trojans such as Ramnit, as opposed to ransomware programs, Malwarebytes explains in a Jan. 30 company blog post.
“It is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be a few ongoing campaigns,” the post opines. “The other interesting aspect is that two distinct exploit kits are delivering it, although it is unclear if the same actor is behind both campaigns and experimenting with different distribution channels.”
First disclosed by researcher David Montenegro, who discovered it, GandCrab displays a ransom note that states “Welcome! We are regret, but all your files was encrypted!” The ransomware also allows victims to test-decrypt one chosen file from their PCs, as proof of legitimacy.
Adding to its quirkiness, GandCrab demands payment using the cryptocurrency Dash. “This is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than [Bitcoin],” reads the blog post. As of Jan. 31, one Dash equals $688.13. The ransomware asks for 1.5 Dash, which converts to a little over $1,000.
Also notable: GandCrab's server is hosted on a .bit domain, which exists outside of the normal ICANN-sanctioned Domain Name System and is instead served via the cryptocurrency Namecoin infrastructure.
The well-established and prolific Seamless malvertising campaign is what's pushing the RIG EK distributing GandCrab – and according to Malwarebytes, the process is quite similar to recent Seamless-RIG activity that distributed the Ramnit trojan. The involvement of GrandSoft, however, is more surprising, as this EK was thought to have all but disappeared, the Malwarebytes report continues.
Upon execution, GandCrab collections information on the affected PC, including username, computer name, OS and version, IP, active drives (looking especially for fixed drives), system language, and presence of antivirus. It also checks if the keyboard layout is Russian in nature, perhaps to avoid encrypting such machines. Presumably, this information is subsequently sent to a command-and-control server.
GandCrab uses an RSA algorithm to encrypt victims' files, generating the public and private keys on the client side. Malwarebytes reports that it may be possible to decrypt affected files by pulling the keys from memory.