A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered.BIT tld. This ransomware campaign has spread quickly and has hit a large number of businesses in the Tri-state area.
GandCrab typically leverages hacked RDP access as the means for ingress. The hacker first gains access by:
- Purchasing previously brute-forced credentials from sites like XDedic.
- Phishing an employee of the company to gain control of their machine, then using access to brute force from inside the network.
- Brute forcing RDP ports found on search sites like Shodan.
The access conveyed by RDP enables the hacker to comprehensively spread the ransomware across a multitude of devices like individual machines, servers, and backup systems. An infected device will display the following pop up and requires immediate attention to isolate before spreading to the entire infrastructure.
This payment front end is a scary vision of deep technical and organized design work - a major investment of human and financial capital by the hacker groups to scale collection of ransomware payments.
As we assist more and more clients with ransomware recoveries, one thing is clear: this attack comes from a well-organized criminal enterprise. For clients that we have assisted, the data recovery rate is 100%, though the decryptor runs slower than others we have worked with and is prone to crashing. The cost of ransom varies but on average has been found to be 25% more expensive when comparing to other known attacks.
If you need help decrypting GandCrab ransomware or any other variant, please don’t hesitate to contact us (firstname.lastname@example.org or 855-474-1700) so we can arrange for an immediate response from one of our trusted partners.