Summary
The GandCrab ransomware was discovered near the end of January 2018 as part of Ransomware-as-a-Service (RaaS), and it now became the most popular and widespread ransomware.
The GandCrab is the first ransomware that demands payment in Dash cryptocurrency, which is more complicated to trace and uses the ".bit" top level domain (TLD).
The current GandCrab campaign utilizes malvertising and exploits the Struts, JBoss, Weblogic, and Apache Tomcat vulnerabilities.
Details
Infection Chain
Capabilities
- File Encryption
- Disabling Usage Capability
- Propagation
- Download Routine
Available Solutions
| VSAPI/SMART | |||
|---|---|---|---|
| Pattern | Detection/Policy/Rules | Pattern branch/version | Release date |
| TrendX | BKDR.Win32.TRX.XXPE50F13006K0003 Downloader.JS.TRX.XXJSE9EFF010 TROJ.Win32.TRX.XXPE50FFF028 | N/A | February 1, 2019 |
| VSAPI | Trojan.JS.GANDCRAB.DLDRC Ransom.Win32.GANDCRAB.TIOIBOBA Ransom.Win32.GANDCRAB.TIOIBOAX Trojan.JS.GANDCRAB.DLDRA Ransom.Win32.GANDCRAB.SMILB Ransom.Win32.GANDCRAB.THABAOAH Trojan.Win32.GANDCRAB.OIBOAV Ransom.Win32.GANDCRAB.THOAOGAI Trojan.Win64.GANDCRAB.AMG Ransom.Win32.GANDCRAB.AA Ransom.Win32.GANDCRAB.AMM Ransom.Win32.GANDCRAB.TIOIBOAY Trojan.W97M.GANDCRAB.AB | Ent OPR 14.795.07 | February 5, 2019 |
| Behavioral Monitoring | |||
|---|---|---|---|
| Pattern | Detection/Policy/Rules | Pattern branch/version | Release date |
| AEGIS | RAN2320T (GANDCRAB extension and note) | AEGIS TMTD OPR 1765 | March 23, 2018 |
| AEGIS | RAN2314T (GANDCRAB dropped file and execution) | AEGIS TMTD OPR 1753 | February 19, 2018 |
| AEGIS | RAN4202T (GANDCRAB extension and note | AEGIS TMTD OPR 1825 | September 14, 2018 |
| AEGIS | RAN4201T (GANDCRAB ransom note) | AEGIS TMTD OPR 1825 | September 14, 2018 |
| Email Protection | |||
|---|---|---|---|
| Subject | MD5 | Pattern branch/version | Release date |
| BC A2897001 | b3f472fcc9c96721205b75200a145fb2 | AS Pattern 4414 | February 6, 2019 |
| :D | 3d82896f4e56912c29d25eee626fafeb | AS Pattern 4414 | February 6, 2019 |
| :) | c41c71ea30815c29b52e002ca5b13739 | AS Pattern 4414 | February 6, 2019 |
| :) | a78cb5897545d040be8312cc65654589 | AS Pattern 4414 | February 6, 2019 |
| BC A2897001 | a1501027d25ad06931665149d3916993 | AS Pattern 4414 | February 6, 2019 |
| [SPAM] :) | 17dafde0547a832fcbd9f7dc14402bc5 | AS Pattern 4414 | February 6, 2019 |
| BC A2897001 | a729651fe7d10e48b4a31f49adac846f | AS Pattern 4414 | February 6, 2019 |
| BC A2897001 | d2b09bf0401bad25e5a6e9f09d7e2efa | AS Pattern 4414 | February 6, 2019 |
| :) | b528af611a852e8ac0d3b9a2a58fda00 | AS Pattern 4414 | February 6, 2019 |
| URL Protection | ||
|---|---|---|
| URL | Category | Blocking Date |
| hxxp://92.63.197.48:80/t.php?new=1 | Disease Vector | October 1, 2018 |
| hxxp://92.63.197.153:80/mcdonalds.exe | Malware Accomplice | February 2, 2019 |
| hxxp://92.63.197.112:80/t.php?new=1 | Disease Vector | September 7, 2018 |
| hxxp://utdifguizdidiz.ru:80/1.exe | Disease Vector | February 5, 2019 |
| hxxp://uaihefiuieagug.ru:80/5.exe | Disease Vector | February 5, 2019 |
| hxxp://92.63.197.153:80/1.exe | Disease Vector | February 1, 2019 |
| hxxp://fieooeoafheifi.ru:80/4.exe | Disease Vector | Disease Vector February 4, 2019 |
| hxxp://sriuedueiuiefg.ru:80/5.exe | Disease Vector | February 5, 2019 |
| hxxp:// sefuhsuifhishf.ru:80/2.exe | Disease Vector | February 4, 2019 |
Recommendation
Threat Report
- Trend Micro Threat Encyclopedia: RANSOM_GANDCRAB.THABIH
- Trend Micro Threat Encyclopedia: RANSOM_GANDCRAB.THACOH
- Trend Micro Threat Encyclopedia: RANSOM_GANDCRAB.A
- Trend Micro Threat Encyclopedia: Ransom_GANDCRAB.THAOAAAH
Blogs
- New Exploit Kit Fallout Delivering Gandcrab Ransomware
- .EGG Files in Spam Delivers GandCrab v4.3 Ransomware to South Korean Users
- New GandCrab Variants, Varied Payloads Delivered Via Spam Campaign
Read the KB article on Submitting suspicious or undetected virus for file analysis to Technical Support.
