Threat Management, Malware, Network Security, Ransomware

RIG and GrandSoft exploit kits shell out new GandCrab ransomware

Breaking from typical ransomware distribution tactics, the attackers behind the new malicious cryptor GandCrab are relying on a pair of exploit kits – RIG EK and GrandSoft EK – to infect unwitting victims.

The finding is unusual, as exploit kits are more typically used to deliver downloaders, RATs, cryptominers and other trojans such as Ramnit, as opposed to ransomware programs, Malwarebytes explains in a Jan. 30 company blog post

“It is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be a few ongoing campaigns,” the post opines. “The other interesting aspect is that two distinct exploit kits are delivering it, although it is unclear if the same actor is behind both campaigns and experimenting with different distribution channels.”

First disclosed by researcher David Montenegro, who discovered it, GandCrab displays a ransom note that states “Welcome! We are regret, but all your files was encrypted!” The ransomware also allows victims to test-decrypt one chosen file from their PCs, as proof of legitimacy.

Adding to its quirkiness, GandCrab demands payment using the cryptocurrency Dash. “This is another sign that threat actors are going for currencies that offer more anonymity and may have lower transaction fees than [Bitcoin],” reads the blog post. As of Jan. 31, one Dash equals $688.13. The ransomware asks for 1.5 Dash, which converts to a little over $1,000.

Also notable: GandCrab's server is hosted on a .bit domain, which exists outside of the normal ICANN-sanctioned Domain Name System and is instead served via the cryptocurrency Namecoin infrastructure.

The well-established and prolific Seamless malvertising campaign is what's pushing the RIG EK distributing GandCrab – and according to Malwarebytes, the process is quite similar to recent Seamless-RIG activity that distributed the Ramnit trojan. The involvement of GrandSoft, however, is more surprising, as this EK was thought to have all but disappeared, the Malwarebytes report continues.

Upon execution, GandCrab collects information on the affected PC, including username, computer name, OS and version, IP, active drives (looking especially for fixed drives), system language, and presence of antivirus. It also checks if the keyboard layout is Russian in nature, perhaps to avoid encrypting such machines. Presumably, this information is subsequently sent to a command-and-control server.

GandCrab uses an RSA algorithm to encrypt victims' files, generating the public and private keys on the client side. Malwarebytes reports that it may be possible to decrypt affected files by pulling the keys from memory.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.