GlobalSign Blog

24 May 2018

The Gandcrab Ransomware and its Dangerous Claws

Move over, Mr. Krabs. There’s a new money-grabbing crab lurking online. Following in the footsteps of infamous ransomwares such as WannaCry and Petya, the Gandcrab ransomware looks to make a name for itself as it slowly became the most widely-distributed ransomware among illegal hacking forums. Security experts are worried Gandcrab is spreading way too fast, with the crabby ransomware already seeded within legitimate websites. So it’s only fitting to know what we’re up against.

What Exactly is Gandcrab?

After WannaCry terrorized almost the entire world, a lot of copycat ransomwares popped out to try and replicate its success. Many failed, while very few managed to create damage. Gandcrab, on the other hand, was able to infect 50,000 machines in under a month. The Gandcrab ransomware first made an impact in January after security researchers discovered an infection chain relying on exploit kits, the newest platform used to deliver malware online.

Once Gandcrab takes over a victim’s computer and encrypt its files, it demands a ransom ranging from $300 to $500 US dollars. The ransom must be paid through virtual currency Dash, a currency known to make online transaction less traceable and also convenient for illegal ransom payments. In February, mere weeks after Gandcrab’s grand debut, a team consisting of renowned security firm BitDefender, the Europol, and the Romanian police developed a tool to decrypt the Gandcrab-infected files.

But it was only the beginning. A second version of the Gandcrab ransomware was subsequently released, this time with an improved coding and a new scheme: it adds the .crab extension to the files Gandcrab encrypts. A third version of Gandcrab was released a day after the second one went live. This time, the ransomware replaces the victim’s background with a ransom note. The spread of Gandcrab has been rapid, to say the least, and security experts are worried about its implications.

“Most small businesses aren’t aware that a new vulnerability has been released against a web framework and even if they did, most lack the expertise and time to be able to frequently update the software that the companies’ websites rely upon,” Cisco Talos researcher Nick Biasini explained in his report. At one point, the Talos team detected four simultaneous ransomware campaigns targeting both new and already compromised websites. Needless to say, the hackers behind Gandcrab are relentless.

“Adversaries, on the other hand, are able to quickly leverage these vulnerabilities and begin widely scanning the internet looking for potential victims. Leveraging these compromised sites in these types of spam campaigns is increasingly effective because adversaries don’t need to maintain persistence, or do much of anything other than copying a file to a specific location that they can point to systems, allowing for infection,” Biasini added.

Avoiding the Claws of Gandcrab

Despite the dangers that it poses, Gandcrab isn’t that hard to avoid as long as you’re always vigilant in spotting fake emails. After all, this crabby ransomware uses spam campaigns to penetrate computers. A Gandcrab email usually imitates an invoice or sales email to encourage a click from victims. Just like the classic phishing schemes of the past, the email will lead you to a compromised website and Gandcrab will do the rest—you know the drill.

Fortunately, sifting legitimate and encrypted emails from the fake ones is easy, thanks to S/MIME technology. Not only will S/MIME encrypt your emails, it will also sign your emails so your receivers will know that it really came from you and the contents weren’t compromised. So if ever you receive an invoice email or any other type of email without any security indicators, it’s best to avoid opening it. Remember, all it takes is one click, and Gandcrab can take you and your office down with it.

Keeping up with the latest online threats is half of the battle. For more cybersecurity-related news and features, visit GlobalSign’s official blog. To learn more about GlobalSign and how we can improve your company’s cybersecurity, visit our official website.

Share this Post