A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.
First discovered by security researcher David Montenegro, researchers quickly jumped in to analyze the ransomware and post their results on Twitter. This article will dive into what has been discovered by myself and other researchers.
Unfortunately, at this time there is no way to decrypt files encrypted by GandCrab for free. This ransomware is being researched, though, and if any new information is released we will be sure to update this article.
For now, if you wish to discuss GandCrab you can this article's comments section or our dedicated GandCrab Help & Support Topic.
According to exploit kit researchers nao_sec and Brad Duncan, GandCrab is currently being distributed through a malvertising campaign called Seamless that then pushes the visitors to the RIG exploit kit. The exploit kit will then attempt to utilize vulnerabilities in the visitor's software to install GandCrab without their permission.
If the exploit kit is able to install the ransomware, the victim will probably not realize they are infected until it is too late.
A first for ransomware is GandCrab's use of the DASH currency as a ransom payment. Most file encrypting ransomware families have exclusively used Bitcoin as the ransom payment method. Lately, some ransomware infections have been moving to Monero and even Ethereum.
This is the first time, though, that we have seen any ransomware ask for DASH as the payment. This is most likely due to DASH being built around privacy and thus harder for law enforcement to track the owners of the coins.
The GandCrab developers are currently asking for 1.54 DASH, which is approximately $1,170 USD at today's prices.
Another interesting feature is GandCrab's use of the NameCoin .BIT top-level domain. .BIT is not a TLD that is recognized by the Internet Corporation for Assigned Names and Numbers (ICANN), but is instead managed by NameCoin's decentralized domain name system.
This means that any software that wishes to resolve a domain name that uses the .BIT tld, must use a DNS server that supports it. GandCrab does this by making dns queries using the a.dnspod.com DNS server, which is accessible on the Internet and can also be used to resolve .bit domains.
GandCrab uses these .bit domains as addresses for its Command & Control servers. Interestingly, the domain servers used by this ransomware contain names that you might recognize.
bleepingcomputer.bit nomoreransom.bit esetnod32.bit emsisoft.bit gandcrab.bit
After the publication of this story, the NameCoin developers issued a statement explaining that even though the GandCrab devs tried to use NameCoin DNS for their command & control servers, they did not set it up correctly. Instead the NameCoin developers stated that dnspod.com was just allowing the use of .bit domains even though it is not a TLD recognized by ICANN.
When GandCrab is first launched it. will attempt to connect to the ransomware's Command & Control server. As this server is hosted on one of Namecoin's .bit domains, it has to query a name server that supports this TLD.
It does this by querying for the addresses of the following domains using the command nslookup [insert domain] a.dnspod.com. This command queries the a.dnspod.com name server, which support the .bit TLD, for one of the domains below.
bleepingcomputer.bit nomoreransom.bit esetnod32.bit emsisoft.bit gandcrab.bit
If the victim's machine is unable to connect to the C2 server, then the ransomware will not encrypt the computer. It will, though, continue running in the background trying to get the IP address for the C2 and connect to it.
Once it is able to resolve the domain, it will connect to the C2 server's IP address. It is not known at this time what data is being sent and retrieved, but the C2 is most likely sending the public key that should be used to encrypt the files.
During this process, the ransomware will also connect to http://ipv4bot.whatismyipaddress.com/ to determine the public IP address of the victim.
Before GandCrab encrypts the victim's files it will first check for certain processes and terminate them. This will close any file handles that are open by these processes so that they can be properly encrypted. According to security researcher Vitali Kremez, the list of processes that are terminated are:
msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, mydesktopqos.exe, agntsvc.exeisqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, ocautoupds.exe, agntsvc.exeagntsvc.exe, agntsvc.exeencsvc.exe, firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, wordpad.exe
GandCrab will now begin to encrypt the victim's files and will target only certain file extensions. According to researcher Pepper Potts, the list of extensions are:
1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr, .act, .adb, .adp, .ads, .agdl, .ai, .aiff, .ait, .al, .aoi, .apj, .apk, .arw, .ascx, .asf, .asm, .asp, .aspx, .asset, .asx, .atb, .avi, .awg, .back, .backup, .backupdb, .bak, .bank, .bay, .bdb, .bgt, .bik, .bin, .bkp, .blend, .bmp, .bpw, .bsa, .c, .cash, .cdb, .cdf, .cdr, .cdr3, .cdr4, .cdr5, .cdr6, .cdrw, .cdx, .ce1, .ce2, .cer, .cfg, .cfn, .cgm, .cib, .class, .cls, .cmt, .config, .contact, .cpi, .cpp, .cr2, .craw, .crt, .crw, .cry, .cs, .csh, .csl, .css, .csv, .d3dbsp, .dac, .das, .dat, .db, .db_journal, .db3, .dbf, .dbx, .dc2, .dcr, .dcs, .ddd, .ddoc, .ddrw, .dds, .def, .der, .des, .design, .dgc, .dgn, .dit, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm, .dotx, .drf, .drw, .dtd, .dwg, .dxb, .dxf, .dxg, .edb, .eml, .eps, .erbsql, .erf, .exf, .fdb, .ffd, .fff, .fh, .fhd, .fla, .flac, .flb, .flf, .flv, .flvv, .forge, .fpx, .fxg, .gbr, .gho, .gif, .gray, .grey, .groups, .gry, .h, .hbk, .hdd, .hpp, .html, .ibank, .ibd, .ibz, .idx, .iif, .iiq, .incpas, .indd, .info, .info_, .ini, .iwi, .jar, .java, .jnt, .jpe, .jpeg, .jpg, .js, .json, .k2p, .kc2, .kdbx, .kdc, .key, .kpdx, .kwm, .laccdb, .lbf, .lck, .ldf, .lit, .litemod, .litesql, .lock, .log, .ltx, .lua, .m, .m2ts, .m3u, .m4a, .m4p, .m4v, .ma, .mab, .mapimail, .max, .mbx, .md, .mdb, .mdc, .mdf, .mef, .mfw, .mid, .mkv, .mlb, .mmw, .mny, .money, .moneywell, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mrw, .msf, .msg, .myd, .nd, .ndd, .ndf, .nef, .nk2, .nop, .nrw, .ns2, .ns3, .ns4, .nsd, .nsf, .nsg, .nsh, .nvram, .nwb, .nx2, .nxl, .nyf, .oab, .obj, .odb, .odc, .odf, .odg, .odm, .odp, .ods, .odt, .ogg, .oil, .omg, .one, .orf, .ost, .otg, .oth, .otp, .ots, .ott, .p12, .p7b, .p7c, .pab, .pages, .pas, .pat, .pbf, .pcd, .pct, .pdb, .pdd, .pdf, .pef, .pem, .pfx, .php, .pif, .pl, .plc, .plus_muhd, .pm!, .pm, .pmi, .pmj, .pml, .pmm, .pmo, .pmr, .pnc, .pnd, .png, .pnx, .pot, .potm, .potx, .ppam, .pps, .ppsm, .ppsx,.ppt, .pptm, .pptx, .prf, .private, .ps, .psafe3, .psd, .pspimage, .pst, .ptx, .pub, .pwm, .py, .qba, .qbb, .qbm, .qbr, .qbw, .qbx, .qby, .qcow, .qcow2, .qed, .qtb, .r3d, .raf, .rar, .rat, .raw, .rdb, .re4, .rm, .rtf, .rvt, .rw2, .rwl, .rwz, .s3db, .safe, .sas7bdat, .sav, .save, .say, .sd0, .sda, .sdb, .sdf, .sh, .sldm, .sldx, .slm, .sql, .sqlite, .sqlite3, .sqlitedb, .sqlite-shm, .sqlite-wal, .sr2, .srb, .srf, .srs, .srt, .srw, .st4, .st5, .st6, .st7, .st8, .stc, .std, .sti, .stl, .stm, .stw, .stx, .svg, .swf, .sxc, .sxd, .sxg, .sxi, .sxm, .sxw, .tax, .tbb, .tbk, .tbn, .tex, .tga, .thm, .tif, .tiff, .tlg, .tlx, .txt, .upk, .usr, .vbox, .vdi, .vhd, .vhdx, .vmdk, .vmsd, .vmx, .vmxf, .vob, .vpd, .vsd, .wab, .wad, .wallet, .war, .wav, .wb2, .wma, .wmf, .wmv, .wpd, .wps, .x11, .x3f, .xis, .xla, .xlam, .xlk, .xlm, .xlr, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xxx, .ycbcra, .yuv, .zip
While encrypting files, Kremez's analysis showed that GandCrab will skip any files whose full pathname contain the following strings:
\ProgramData\, \Program Files\, \Tor Browser\, Ransomware, \All Users\, \Local Settings\, desktop.ini, autorun.inf, ntuser.dat, iconcache.db, bootsect.bak, boot.ini, ntuser.dat.log, thumbs.db, GDCB-DECRYPT.txt, .sql
When encrypting files, the ransomware will append the .GDCB extension to the encrypted file's name. For example, test.jpg would be encrypted and renamed to test.jpg.GDCB.
At some point, the ransomware will relaunch itself using the command "C:\Windows\system32\wbem\wmic.exe" process call create "cmd /c start %Temp%\[launched_file_name].exe". If a user does not respond Yes to the below prompt, it will continuously display the UAC prompt.
When the ransomware has finished encrypting the computer, victim's will find ransom notes located through the computer. This ransom note is named GDCB-DECRYPT.txt and contains information on what happened to the victim's files and a list of TOR gateways that can be used to access the payment site.
When a user goes to the listed site, they will be presented with a site called GandCrab Decryptor. This site provides information such as the ransom amount, the DASH address to send payment to, a support chat, and a free decryption of one file.
As already stated, unfortunately there is no way to decrypt the files for free at this time. If you need help or would like to discuss this ransomware, you can do so in our dedicated GandCrab Help & Support Topic.
In order to protect yourself from ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack. With a good backup, ransomware has no effect on you.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
Update 2/8/18 10:46 AM: Updated articles to include information from the NameCoin developers regarding how the GandCrab devs did not properly configure the C2 domains using NameCoin.
aedf80c426fb649bb258e430a3830d85 6866d8d8bf8565d94e0e1479978cf1e5 379e149517f4119f2edb9676ec456ed4
184.108.40.206/curl.php?token= ipv4bot.whatismyipaddress.com http://gdcbghvjyqy7jclk.onion http://gdcbghvjyqy7jclk.onion.top/ http://gdcbghvjyqy7jclk.onion.casa/ http://gdcbghvjyqy7jclk.onion.guide/ http://gdcbghvjyqy7jclk.onion.rip/ http://gdcbghvjyqy7jclk.onion.plus/
---= GANDCRAB =--- Attention! All your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB The only method of recovering files is to purchase a private key. It is on our server and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: 1. Download Tor browser - https://www.torproject.org/ 2. Install Tor browser 3. Open Tor Browser 4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id] 5. Follow the instructions on this page If Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular browser: 1. http://gdcbghvjyqy7jclk.onion.top/[id] 2. http://gdcbghvjyqy7jclk.onion.casa/[id] 3. http://gdcbghvjyqy7jclk.onion.guide/[id] 4. http://gdcbghvjyqy7jclk.onion.rip/[id] 5. http://gdcbghvjyqy7jclk.onion.plus/[id] On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. DANGEROUS! Do not try to modify files or use your own private key - this will result in the loss of your data forever!