Sign In with your
Trend Micro Account

Sign in to MySupport

Need Help?

Need More Help?

Create a technical support case if you need further support.

[Malware Awareness] GandCrab comes up with new tricks

- Updated:
- 18 Mar 2019
- Product/Version:
- Apex Central™ All.All
- Apex One All.All
- Deep Security 10.0
- Deep Security 11.0
- InterScan Messaging Security Virtual Appliance 9.0
- InterScan Messaging Security Virtual Appliance 9.1
- OfficeScan 11.0
- OfficeScan XG.All
- ScanMail for Exchange 12.0
- ScanMail for Exchange 12.5
- Worry-Free Business Security Standard/Advanced 10.0
- Platform:
- N/A N/A

Summary

The GandCrab ransomware was discovered near the end of January 2018 as part of Ransomware-as-a-Service (RaaS), and it now became the most popular and widespread ransomware.

The GandCrab is the first ransomware that demands payment in Dash cryptocurrency, which is more complicated to trace and uses the ".bit" top level domain (TLD).

The current GandCrab campaign utilizes malvertising and exploits the Struts, JBoss, Weblogic, and Apache Tomcat vulnerabilities.

Details

Infection Chain

Capabilities

File Encryption
Disabling Usage Capability
Propagation
Download Routine

Available Solutions

VSAPI/SMART
Pattern	Detection/Policy/Rules	Pattern branch/version	Release date
TrendX	BKDR.Win32.TRX.XXPE50F13006K0003 Downloader.JS.TRX.XXJSE9EFF010 TROJ.Win32.TRX.XXPE50FFF028	N/A	February 1, 2019
VSAPI	Trojan.JS.GANDCRAB.DLDRC Ransom.Win32.GANDCRAB.TIOIBOBA Ransom.Win32.GANDCRAB.TIOIBOAX Trojan.JS.GANDCRAB.DLDRA Ransom.Win32.GANDCRAB.SMILB Ransom.Win32.GANDCRAB.THABAOAH Trojan.Win32.GANDCRAB.OIBOAV Ransom.Win32.GANDCRAB.THOAOGAI Trojan.Win64.GANDCRAB.AMG Ransom.Win32.GANDCRAB.AA Ransom.Win32.GANDCRAB.AMM Ransom.Win32.GANDCRAB.TIOIBOAY Trojan.W97M.GANDCRAB.AB	Ent OPR 14.795.07	February 5, 2019

Behavioral Monitoring
Pattern	Detection/Policy/Rules	Pattern branch/version	Release date
AEGIS	RAN2320T (GANDCRAB extension and note)	AEGIS TMTD OPR 1765	March 23, 2018
AEGIS	RAN2314T (GANDCRAB dropped file and execution)	AEGIS TMTD OPR 1753	February 19, 2018
AEGIS	RAN4202T (GANDCRAB extension and note	AEGIS TMTD OPR 1825	September 14, 2018
AEGIS	RAN4201T (GANDCRAB ransom note)	AEGIS TMTD OPR 1825	September 14, 2018

Email Protection
Subject	MD5	Pattern branch/version	Release date
BC A2897001	b3f472fcc9c96721205b75200a145fb2	AS Pattern 4414	February 6, 2019
:D	3d82896f4e56912c29d25eee626fafeb	AS Pattern 4414	February 6, 2019
:)	c41c71ea30815c29b52e002ca5b13739	AS Pattern 4414	February 6, 2019
:)	a78cb5897545d040be8312cc65654589	AS Pattern 4414	February 6, 2019
BC A2897001	a1501027d25ad06931665149d3916993	AS Pattern 4414	February 6, 2019
[SPAM] :)	17dafde0547a832fcbd9f7dc14402bc5	AS Pattern 4414	February 6, 2019
BC A2897001	a729651fe7d10e48b4a31f49adac846f	AS Pattern 4414	February 6, 2019
BC A2897001	d2b09bf0401bad25e5a6e9f09d7e2efa	AS Pattern 4414	February 6, 2019
:)	b528af611a852e8ac0d3b9a2a58fda00	AS Pattern 4414	February 6, 2019

URL Protection
URL	Category	Blocking Date
hxxp://92.63.197.48:80/t.php?new=1	Disease Vector	October 1, 2018
hxxp://92.63.197.153:80/mcdonalds.exe	Malware Accomplice	February 2, 2019
hxxp://92.63.197.112:80/t.php?new=1	Disease Vector	September 7, 2018
hxxp://utdifguizdidiz.ru:80/1.exe	Disease Vector	February 5, 2019
hxxp://uaihefiuieagug.ru:80/5.exe	Disease Vector	February 5, 2019
hxxp://92.63.197.153:80/1.exe	Disease Vector	February 1, 2019
hxxp://fieooeoafheifi.ru:80/4.exe	Disease Vector	Disease Vector February 4, 2019
hxxp://sriuedueiuiefg.ru:80/5.exe	Disease Vector	February 5, 2019
hxxp:// sefuhsuifhishf.ru:80/2.exe	Disease Vector	February 4, 2019

Recommendation

Ransomware: Solutions, Best Practice Configuration and Prevention using Trend Micro products

Threat Report

Blogs

Read the KB article on Submitting suspicious or undetected virus for file analysis to Technical Support.

Rating:

Category:

Remove a Malware / Virus

Solution Id:

1122197

Feedback

Did this article help you?

Thank you for your feedback!

What was the problem with this article?

The image(s) in the article did not display properly.

The article did not provide detailed procedure.

The article is hard to understand and follow.

The video did not play properly.

The article did not resolve my issue.

Others. Please specify.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

Thanks for voting.

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:

We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.