Defeating a particular strand of ransomware doesn’t mean it’s dead and buried; you only have to take a look at GandCrab to see how it can evolve.
GandCrab first emerged online at the start of 2018 and began to spread rapidly across the globe. Known as a Ransomware-as-a-Service (RaaS) attack, GandCrab has been able to continue causing chaos thanks to its code receiving regular updates. Now, as ransomware is such a pressing concern at the best of times, the realization that it can rapidly evolve is very troubling for anyone who heads online.
Due to the economic impact, not to mention the effect on productivity, that ransomware can cause to organizations, we’re going to take a close look at GandCrab to understand how and why it has evolved.
What is RaaS?
GandCrab is classed as a RaaS, but what exactly does this mean? Well, RaaS is built upon an attack where ransomware is written by cyber-criminals and then sold on to attackers who may not have the technical knowledge to write their own ransomware. Sometimes, however, the attackers may be perfectly capable of writing their own ransomware, but they don’t have the time and are just looking for a quick buck instead. Nonetheless, RaaS is highly popular due to the ease with which it can be deployed and the ready availability of the code. And this is exactly how GandCrab has been operating since the start of the year.
How Does GandCrab Operate?
Rather than concentrating on just one deployment method, GandCrab is particularly virulent thanks to its multifaceted approach which includes spam emails, exploit kits and malvertising. Once executed, GandCrab begins compiling information on the victim’s PC and scans for file extensions that it’s capable of encrypting. Early versions of GandCrab would encrypt files with a .CRAB extension, but the latest versions have begun encrypting files with 5 digit extensions that are randomly generated. GandCrab is also different to most other ransomware as it demands its ransom in Dash, a cryptocurrency which launched in 2015, rather than Bitcoin.
The Evolution of GandCrab
In total, there have been five versions of GandCrab released since its initial detection. Being a RaaS, the writers of GandCrab are keen to keep the money flowing in and this has fuelled their determination to update their product. Those who were infected by versions 1.0 and 1.1 were in luck early on as BitDefender managed to code a decryptor to retrieve files which had been compromised. However, this setback only served to inspire the hackers behind GandCrab to update the code significantly in GandCrab 2.0. Since then, less significant, but regular updates have allowed GandCrab to stay ahead of the security experts and keep their product bringing in its illicit income.
Can GandCrab be Defeated?
Despite the strength of GandCrab’s defenses, it appears that the security experts may be getting closer. Recent developments have seen BitDefender refining their decryptor software to unlock files encrypted by GandCrab versions 1, 4 and 5. Unfortunately, progress on decrypting files encrypted by versions 2 and 3 has been much slower and these files remain encrypted unless the victims are willing to pay the ransom. Ultimately, the best way for your organization to protect its data from the threat of ransomware such as GandCrab is by practicing best security practices and not having to decrypt any files whatsoever.
For more ways to secure and optimize your business technology, contact your local IT professionals.
