GandCrab

Description

(VirusTotal) The GandCrab ransomware, which is no longer active, was actively distributed for a little over a year. GandCrab variants caused a great deal of damage worldwide, including in South Korea.

The GandCrab ransomware shares an interesting history with AhnLab. Like many other examples of ransomware, GandCrab searches for any running or pre-installed anti‑malware program and when it finds one it interferes with its normal execution and shuts it down. However, when it came to AhnLab, GandCrab went the extra mile, specifically targeting the company and its anti-malware program V3 Lite by mentioning it in its code. It even revealed a vulnerability in the security program and made attempts to delete it entirely.

To effectively respond to and protect against GandCrab attacks, the AhnLab Security Analysis Team analysed GandCrab and all its different versions by thoroughly investigating the distributed code, encryption method, restoration method, and the evasive method it used to avoid behaviour-based detection. Each time a new attack feature targeting AhnLab and V3 was identified, the company’s product developers promptly addressed it to ensure maximum security.

The interesting conflict between AhnLab and the GandCrab ransomware was widely discussed in the IT security industry. However, the details that were revealed at the time were only the tip of the iceberg, with more details being kept private for reasons of confidentiality.

Names

Name
GandCrab
GrandCrab

Category

Malware

Type

• Ransomware
• Big Game Hunting

Information

• https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/
• https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/
• http://asec.ahnlab.com/1145
• https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/
• http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/
• https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/
• https://isc.sans.edu/diary/23417
• https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html
• https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html
• http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf
• https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
• https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom
• https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/
• https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/
• https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/

Malpedia

• https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab

Alienvault Otx

• https://otx.alienvault.com/browse/pulses?q=tag:GandCrab

Playbook

• https://www.nomoreransom.org/uploads/GANDCRAB%20RANSOMWARE%20DECRYPTION%20TOOL%20(002).pdf

Other Information

Uuid

0b2b37bc-8665-4409-90a2-35a56aec7341

Last Card Change

2021-04-25