Test subject – GrandCrab ransomware
GandCrab (v1) is distinctive ransomware which was released at the end of January this year and infected around 50k PCs around the world. It is the first one to use the Dash cryptocurrency as payment, while Bitcoin being the first choice of most ransomware currently active. Dash is more privacy oriented, and it most likely the reason why it was chosen.
It is distributed via sophisticated email campaigns, compromised websites and utilized vulnerability exploits to infect its victims. International and .bit top-level domains were also used to make detection even more difficult, which were resolved using hardcoded DNS servers. These domains contain names users might find familiar, like bleepingcomputer.bit or nomoreransom.bit, probably in an attempt to mock the researchers.
GrandCrab ransomware test facts
The attack starts by scanning the PC for private identifiable data and standard software, like antivirus applications and other Windows related processes and apps, which GandCrab will also try to disable. Collected data, including the victim’s public IP address, is later uploaded to the Command & Control servers of GandCrab. If these cannot be contacted, the ransomware will not encrypt, but it will continue to run in the background and retry as many times as possible/needed. GandCrab has a list of 456 file types which will encrypt once the servers are reachable. These files are easily identifiable, as their extension will change to .GDCB.
There is a rumor that at the beginning of March GandCrab’s Command & Control servers were seized by the Romanian authorities. With the help of local security firms, a decryption tool was also released. This is good news, but in response, the developers released a second version of the ransomware with new C&C servers, and v2 encrypted files are impossible to decrypt at this time.
GrandCrab ransomware test results
TEMASOFT Ranstop detects this version of GrandCrab ransomware soon after it starts encrypting files. Upon detection, alerts are fired off, and the malware process is stopped and quarantined. The encrypted files are automatically restored so that the user doesn’t lose any valuable information.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.