Ransomware GandCrab terrorizing users through Exploit Kits

New Bizarre Ransomware Appeared

A new ransomware by the name of GandCrab is causing problems for users and demanding 1.5 Dash as ransom for the decryption key.

Ransomware is always a nuisance since there’s no way of solving the issue once you are infected. Ransomware GandCrab is the latest in the line. It infects user systems using two separate exploit kits and demands 1.5 Dash in ransom for the decryption key.

While GandCrab is similar to all other ransomware in that it collects a bunch of system information before encrypting the files and then demanding ransom from the user, there is one big difference. It is only the second ransomware so far that uses exploit kits to infect users. Usually, ransomware spreads through fraudulent emails. But in case of GandCrab, exploit kits RIG EK and GrandSoft EK do the trick. It is a common method to use exploit kits which play on weaknesses and security flaws to spread malware, coining miners, etc. However, only one other ransomware (Magniber) is known to use exploit kits before GandCrab.

The malware was first spotted on January 26, and Malwarebytes researchers have published a full report on the ransomware on January 30. The report says that GandCrab uses two distinct exploit kits to target users. The reason for using separate kits is unknown, with researchers speculating that if the same actor is controlling them both, then they could be trying different distribution channels.

RIG EK is used by Seamless, the malvertising campaign, to distribute GandCrab. The other exploit kit GrandSoft was thought to have disappeared but is also being used for the same purpose. This first drop the payload on the user system, which then collects a lot of information. Information like computer name, keyboard type, OS version, IP address, processor type, location, active drives, disk space, antivirus presence is recorded and sent to a command-and-control server. Then, the files are encrypted and the user is shown a message about the same.

The message reads “Welcome! We are regret, but all your files are encrypted! But don’t worry, you can return all your files. We can help you!” Apart from this error message, the ransomware asks the user to pay 1.5 Dash in ransom and warns against using a free decryptor unless they want their files to be deleted. The user is also show the current exchange rate for Dash, which stands at $1038 as of now, as well as links to platforms to buy Dash. In case the user fails to pay the ransom within the stipulated time, the ransom doubles to 3 Dash.

The fact that GandCrab uses Dash and not Bitcoin to collect ransom is probably a result of the rising transaction fee for Bitcoin users. While Dash isn’t as popular as Bitcoin, it sees a considerable amount of daily trading, and is one of the most popular altcoins in circulation.

The only way to protect yourself from ransomware is to prevent it. Once infected, there’s very little chance that you get your files for free. No free decryptor can help you with GandCrab as of now, which means that all you can do is update your system and be careful with your browsing.