Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

[Malware Awareness] GandCrab comes up with new tricks

    • Updated:
    • 18 Mar 2019
    • Product/Version:
    • Apex Central
    • Deep Security
    • Interscan Messaging Security Virtual Appliance
    • OfficeScan
    • ScanMail for Exchange
    • Worry-Free Business Security Advanced
    • Platform:
    • N/A N/A
Summary

The GandCrab ransomware was discovered near the end of January 2018 as part of Ransomware-as-a-Service (RaaS), and it now became the most popular and widespread ransomware.

The GandCrab is the first ransomware that demands payment in Dash cryptocurrency, which is more complicated to trace and uses the ".bit" top level domain (TLD).

The current GandCrab campaign utilizes malvertising and exploits the Struts, JBoss, Weblogic, and Apache Tomcat vulnerabilities.

Details
Public

Infection Chain

GandCrab Infection Chain

Capabilities

  • File Encryption
  • Disabling Usage Capability
  • Propagation
  • Download Routine

Available Solutions

VSAPI/SMART
PatternDetection/Policy/RulesPattern branch/versionRelease date
TrendXBKDR.Win32.TRX.XXPE50F13006K0003
Downloader.JS.TRX.XXJSE9EFF010
TROJ.Win32.TRX.XXPE50FFF028
N/AFebruary 1, 2019
VSAPITrojan.JS.GANDCRAB.DLDRC
Ransom.Win32.GANDCRAB.TIOIBOBA
Ransom.Win32.GANDCRAB.TIOIBOAX
Trojan.JS.GANDCRAB.DLDRA
Ransom.Win32.GANDCRAB.SMILB
Ransom.Win32.GANDCRAB.THABAOAH
Trojan.Win32.GANDCRAB.OIBOAV
Ransom.Win32.GANDCRAB.THOAOGAI
Trojan.Win64.GANDCRAB.AMG
Ransom.Win32.GANDCRAB.AA
Ransom.Win32.GANDCRAB.AMM
Ransom.Win32.GANDCRAB.TIOIBOAY
Trojan.W97M.GANDCRAB.AB
Ent OPR 14.795.07February 5, 2019
Behavioral Monitoring
PatternDetection/Policy/RulesPattern branch/versionRelease date
AEGISRAN2320T (GANDCRAB extension and note)AEGIS TMTD OPR 1765March 23, 2018
AEGISRAN2314T (GANDCRAB dropped file and execution)AEGIS TMTD OPR 1753February 19, 2018
AEGISRAN4202T (GANDCRAB extension and noteAEGIS TMTD OPR 1825September 14, 2018
AEGISRAN4201T (GANDCRAB ransom note)AEGIS TMTD OPR 1825September 14, 2018
Email Protection
SubjectMD5Pattern branch/versionRelease date
BC A2897001b3f472fcc9c96721205b75200a145fb2AS Pattern 4414February 6, 2019
:D3d82896f4e56912c29d25eee626fafebAS Pattern 4414February 6, 2019
:)c41c71ea30815c29b52e002ca5b13739AS Pattern 4414February 6, 2019
:)a78cb5897545d040be8312cc65654589AS Pattern 4414February 6, 2019
BC A2897001a1501027d25ad06931665149d3916993AS Pattern 4414February 6, 2019
[SPAM] :)17dafde0547a832fcbd9f7dc14402bc5AS Pattern 4414February 6, 2019
BC A2897001a729651fe7d10e48b4a31f49adac846fAS Pattern 4414February 6, 2019
BC A2897001d2b09bf0401bad25e5a6e9f09d7e2efaAS Pattern 4414February 6, 2019
:)b528af611a852e8ac0d3b9a2a58fda00AS Pattern 4414February 6, 2019
URL Protection
URLCategoryBlocking Date
hxxp://92.63.197.48:80/t.php?new=1Disease VectorOctober 1, 2018
hxxp://92.63.197.153:80/mcdonalds.exeMalware AccompliceFebruary 2, 2019
hxxp://92.63.197.112:80/t.php?new=1Disease VectorSeptember 7, 2018
hxxp://utdifguizdidiz.ru:80/1.exeDisease VectorFebruary 5, 2019
hxxp://uaihefiuieagug.ru:80/5.exeDisease VectorFebruary 5, 2019
hxxp://92.63.197.153:80/1.exeDisease VectorFebruary 1, 2019
hxxp://fieooeoafheifi.ru:80/4.exeDisease VectorDisease Vector February 4, 2019
hxxp://sriuedueiuiefg.ru:80/5.exeDisease VectorFebruary 5, 2019
hxxp:// sefuhsuifhishf.ru:80/2.exeDisease VectorFebruary 4, 2019

Recommendation

Threat Report

Blogs

Read the KB article on Submitting suspicious or undetected virus for file analysis to Technical Support.

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1122197
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.