On February 2nd, 2018, cyber security researchers from the Australian-based firm LMNTRIX revealed that GandCrab licenses are being sold on the dark web for an unspecified price.
Applying marketing to the lucrative cybercrime scene, the dark web extortionist has come up with a strategy where the GandCrab ransomware named is marketed through ads as ransomware-as-a-service (RaaS) on several Russian-speaking underground platforms.
Ransomware-as-a-service (RaaS) being offered on the dark web is currently on the rise.
This is not surprising, however, taking into consideration the success of the cybercrime industry, which experts say is making more revenue in comparison to the old drug industry. More people are participating in various illegal activities, especially on underground illicit forums, and stand to earn millions of dollars without being noticed.
Such successful stories have motivated more people with ill intentions to try their luck by joining the said forums. Payments are made through virtual currency to get instructions on how to distribute and customize the purchased malicious ransomware.
The GandCrab ransomware operates through the standard modus operandi, though it is an apprentice in comparison to the Cerber or Petya ransomware.
However, experts are of the view that GandCrab might extend its prevalence due to its unique features. Unlike the former, GandCrab makes use of GandSoft and RIG exploits kits, which are launched through advertising named ‘Seamless.’
After launching, the malicious program locks files on the target system, appending the GDCB extensions on each of them. Additionally, it develops a GCDB-DECRYPT.txt file with a note on the desktop that instructs victims to make a payment of 1.54 Dash.
The GandCrab ransomware is thus far the only ransomware that demands payments exclusively through the Dash virtual currency, which offers significant anonymity and has less transaction fees as compared to Bitcoin. A single Dash coin is equivalent to roughly $600 USD. The ransomware asks for 1.54 Dash, or almost $1,000 USD.
The exact number of GandCrab ransomware victims is not yet known, however, based on LMNTRIX’s report, all is not well when taking the Russian encrypted ads promoting the malicious RaaS into account.
LMNTRIX has advised partners not to negatively target Russian speaking nations, despite their findings.
According to LMNTRIX, GandCrab developers have come up with a revenue sharing scheme where the partners get 60% share of the paid ransoms with a chance of increasing the share up to 70%.
As a motivation to partners, the GandCrab ransomware package also offers technical support and updates at discounted prices plus an additional instructional video demonstrating how the ransomware successfully avoids antivirus software detection.
The GandCrab Deal
Before signing the deal, GandCrab developers have developed provisions and conditions which partners must adhere to, and failure to comply with the rules will result in consequences such as having user accounts deleted.
Some of these provisions include that the partners should apply and register to use the GandCrab package, partners will not attack any of the former Soviet Republics (Kyrgyzstan, Moldova, Russia, Tajikistan, Armenia, Tajikistan, Uzbekistan Azerbaijan, Belarus and Kazakhstan), and each partner is limited to a certain number of ‘seats’ assigned to him.
The LMNTRIX researchers involved in the investigation of the newly discovered GandCrab ransomware said they are still not aware of the number of licenses already sold on the dark web, but the figure should be less than 10, as there have been no cases reported so far of an attack with the ransomware.
The ransomware is able to collect intelligence from victims’ PCs such as IP addresses, active fixed drivers, the system language, reading the keyboard layout, operating systems, the computer name and the absence or presence of antivirus software on the machine.
This information is sent to a central control server.
As reported by LMNTRIX, the English versions of the RaaS adverts have captured the fact that authors have the ability to configure individual bots, ransom size, encryption masks, the ability to access and configure victims page in the target system using a regular browser and a ‘convenient admin control panel’ hosted on a Tor hidden service.
The advert further insists that in a case where the victim does not pay within the expected time, the ransomware amount doubles automatically.
GandCrab is coded using RSA algorithms, which help encrypt the target files by generating a key. However, LMNTRIX says that it’s possible decrypt the files by pulling the key from the system’s memory.