Background

A new ransomware, GandCrab, aims to pinch your data and extort you for its return. This malware was first identified in late January of 2018. It is distributed by two known exploit kits, GrandSoft EK and RIG EK, in what may be an A/B test of delivery mechanisms. If successful, GandCrab will encrypt selected files on the host system and append those files with a GDCB suffix.

Why is GandCrab Important and Why Should I Be Concerned?

GandCrab is ransomware. It encrypts files then extorts the rightful owner to regain access to their data. A victim of GandCrab will lose:

  • Time recovering encrypted information
  • Money, should they opt to pay the ransom
  • Possibly the encrypted data

This malware is also new, which means it may be evolving towards greater sophistication. There are reports of GandCrab being marketed and sold as Ransomware-as-a-Service (RaaS) on hacking forums. 

Its distribution by multiple exploit kits suggests the malware’s author(s) may still be searching for a way to achieve optimal effectiveness. It is also the first known ransomware to use the identity-protecting Dash cryptocurrency instead of BitCoin or other popular alternatives.


Figure 1: Files appended with a GDCB suffix

There is no known method of decrypting lost files using third-party solutions. Instructions for paying the ransom are found in the GDCB-DECRYPT.txt file which is deposited in various locations on the host system.

The instructions read:

Figure 2: GandCrab ransom note

Paying ransom requires the victim to shell out an unspecified amount of Dash cryptocurrency for promised (but not verified) file decryption. Restoring the encrypted files from a recent backup remains a viable workaround. The best option, of course, is to prevent the malware from executing altogether.

Cylance Stops GandCrab

Our customers will be pleased to hear that CylancePROTECT® can identify and stop GandCrab. Cylance has been capable of detecting and preventing GandCrab since March 29, 2016. Our researchers tested earlier versions of CylancePROTECT against this brand-new threat. They discovered our solution could outfox this malware 659 days* before it was first detected. This proves, once again, that prevention is the best path to security.

 

*(1 year, 9 months, 2 weeks, and 6 days for those who are counting)