The above URL seems to be hosted on a benign Chinese server that was probably compromised by the attackers and now is being used for distributing GandCrab ransomware binaries. The script then downloads the malware to a file on the disk and executes it.įigure 4: JavaScript downloading GandCrab Upon execution, it decodes a URL where GandCrab is hosted.
#Origin graphing program backup files zip
These spam emails trick users into opening the file contained inside the attached ZIP archive, which is generally a script that downloads GandCrab ransomware and executes it.įigure 3: Spam email distributing GandCrab
GrandSoft and RIG are the two most commonly used exploit kits for distributing GandCrab along with the high number of malicious spam emails. GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. The hack was confirmed by the ransomware author, but GandCrab 2.0 was released the same week and the server was hardened against any future attacks.įigure 2: Ransomware author confirms the hack Spreading Mechanism That provided an opportunity for some lucky victims who were infected during that short window to get their files back without having to pay any ransom. The decrypter was made possible not by exploiting any flaws in the encryption process, but rather because the web server used to hold user data got compromised and all the private keys were leaked. GandCrab experienced initial setbacks when the anti-virus company Bitdefender released a decrypter for the earlier versions of GandCrab (v1.0 and v1.1). The plot line below shows a steep rise in number of GandCrab samples on weekly basis since its inception, which has been quite massive.įigure 1: Number of GandCrab samples by week GandCrab certainly supports this argument. This TLD is not sanctioned by ICANN and it therefore provides an extra level of secrecy to the attackers.Īs we mentioned in our previous articles on Black Ruby and Data Keeper, ransomware is still the favorite choice among the attackers for making money. GandCrab is also the first ransomware that demands payment in DASH cryptocurrency and utilizes the “.bit” top level domain (TLD). While there are no major differences between any two versions of this malware, the frequent changes show the time attackers are investing in maintaining and developing it. The authors of this ransomware are very active and have released at least five versions of GandCrab to date.
0 kommentar(er)
