You are here

The Grandeur of GandCrab

Ms Kritika Roy is a Threat Intelligence Researcher at DCSO Deutsche CyberSicherheitsorganisation, Berlin, Germany.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • March 22, 2019

    Cyberspace has often been exploited for financial gains. Different permutations and combinations have been used for financial frauds, varying from the stealing of personal data online to skimming debit/credit cards. In recent years, ransomware attacks have become a trend for committing cyber crime. Although the first ever recorded use of ransomware occurred as early as 1989 in the form of the AIDS Trojan, which was used to encrypt hard disks followed by a demand for ransom in return for decryption, this method gained prominence only after the unleashing of the WannaCry Ransomware in 2017. The latter was a massive attack that affected more than 200,000 systems in some 150 countries and accounted for a loss of several million dollars. Since then, the use of ransomware has seen an upward trend.

    Malware + Ransom = Ransomware

    Ransomware is a kind of malware (software that damages the functions or gains unauthorised access to a computer system) that is used to encrypt important documents or files within a system (Crypto ransomware) or simply lock the original user out of the system (Locker ransomware). The user is then asked for a ransom in return for decrypting the files. Once the ransom is paid within a stipulated period, then the system is either unlocked or the system’s contents are deleted or the system is entirely corrupted. Unlike other cyber attacks, in this form of attack, the user is notified of the attack. Initially, ransomware attacks followed a pattern akin to fire and forget, that is, it was used for small scale extortion from individuals. Now, however, the pattern has shifted to more focused and targeted attacks for larger returns like targeting the server of an organisation. The effect is to turn entire organisations into victims rather than individual users, and the pay-off for the extra effort involved in performing this kind of an attack is often huge.

    Owing to the growing menace of ransomware and especially after the WannaCry attack of 2017, states have taken strict measures to curb the spread of ransomware. However, in the latest scan performed by eScan, it was observed that there are still reminiscent artefacts of WannaCry, albeit in a dormant state. On the other hand, many new, better and customized ransomware are coming to the forefront. Those in the active stage include GandCrab and ZZZ.

    GandCrab was first spotted near the end of January 2018 and since then its attacks have been growing at a rapid pace. It is generally distributed by “phishing emails” (an attachment in a malicious email gives the ransomware the required information) and “exploit kits” (any security holes that are detected by hackers in any software installed in a system can deliver ransomware to the system). Following infiltration, ransomware starts collecting information like username, PC name, OS (Operating System) and other such data. The virus also creates a unique ransom ID and starts encrypting files stored on the system. As a result, the user is no longer able to access encrypted files without a key which cannot be obtained without a ransom.

    Initially, when GandCrab (v1.0 and v1.1) was launched, Bitdefender (an antivirus company) launched a decrypter for the same. This led to the creation of GandCrab 2.0 with a more sophisticated code that was more difficult to crack. In fact, now new variants of the GandCrab are detected almost every month. In the year 2018, GandCrab attackers were able to infect more than 50,000 victims and generate more than USD 600,000 in ransom payments from victims. Though India had its fair share of ransomware attacks, however, there was an increase in the activity of the GandCrab Ransomware attacks particularly in the states of Gujarat, Telangana, Uttar Pradesh and Kerala. According to researchers, this ransomware has almost 100 active affiliates, and 80 of these participants have successfully dispersed 700 different samples of the malware. More than 70 per cent of infected PCs are dedicated to English-speaking PC users and are prevalent in the US and UK. However, the recent version is providing several languages to choose from, including Japanese, French, Italian, and German.

    This form of cyber attack is one of the most convenient ways to engage in financial crime in cyberspace for the simple reason that one can easily buy a customized GandCrab ransomware code on a dark web to use, thus, allowing malicious actors with less technical abilities to get in on the act. Secondly, GandCrab is the first ransomware that demands payment in DASH cryptocurrency (1 DASH cryptocurrency is approximately 1200 USD) and uses the “.bit” top level domain (TLD). Since TLD is not sanctioned by ICANN (Internet Corporation for Assigned Names and Numbers), this affords an extra level of security to the miscreants.

    Every time a cyber security organisation comes out with a decrypter to counter the effect of GandCrab, a brand new version of the ransomware is generated by effecting a small fix in the code. This highlights the inexhaustible nature of cyber weapons. Moreover, this ransomware is spreading like wildfire. To stay ahead of such threats, it is necessary for cyber defence corporations to have state-of-the-art defences that are enabled with advanced technology like machine learning. Moreover, such attacks are only going to grow in the foreseeable future and there is no fixed measure to prevent them. For now the only plausible option is prevention and risk management in the following ways:

    • Regularly patching and updating software released by companies.
    • Any important data should be spread across networks with appropriate backups, thus maintaining redundancy.
    • Stronger passwords and two-prong authentication should be ensured.
    • Continuous real-time monitoring within the system and firewalls to protect against any such attacks.
    • In case of an attack, affected network must be isolated to prevent the virus from spreading.

    Views expressed are of the author and do not necessarily reflect the views of the IDSA or of the Government of India.