The malware forces reboot to start encrypting the disk

Oct 1, 2018 18:30 GMT  ·  By

The threat actors behind the GandCrab ransomware are a very active bunch, and they have made sure that their "spawn" is as busy as they are designing it to use various ways of infecting its targets.

As reported by 360 Security Center, Gandcrab makes use of multiple methods of infiltrating and compromising victims, via spam e-mails, by disguising itself as harmless software or cracked utilities, exploiting Struts and Apache Tomcat vulnerabilities and JBoss and Weblogic security flaws, and even using password cracking attacks when everything else fails.

Moreover, the most common attack vector for GandCrab is maliciously crafted e-mails which contain a dropper bundled up as a malicious attachment and designed to download the malware and run it on the victim's machine.

The amount of time and the number of changes GandCrab's authors seem to put in every newly "released" version makes them a force to be feared, seeing that adding new propagation and attack capabilities makes this ransomware strain more and more dangerous every time a new version starts doing its rounds.

What's interesting regarding this ransomware strain is that, before even trying to encrypt essential files on the target's computer, GandCrab will begin deleting all automatic backups of a user's data (shadow copies) to make sure that the files it takes for ransom will not be recoverable until the payment is delivered in full.

GandCrab uses a wide range of vector attacks and, once settled in, it will make sure its masters get paid 

The latest version of GandCrab will begin scanning for all target document formats upon execution, and when it finds one, it will encrypt it and rename it using a randomly chosen five character extension.

After encrypting the files it wants to hold as hostages, GandCrab will also create its ransom note, with detailed instructions on the victim can pay to have the documents restored and with directions to the "payment portal" at gandcrabmfe6mnef.onion.

Furthermore, GandCrab does not play the waiting game seeing that, once it finishes encrypting the files, it goes straight to business and reboots the computer it has infected after achieving persistence, executing itself after the system restarts and displaying the ransom note.

As protection measures against GandCrab and all ransomware strains, we recommend making data backups on a regular basis, being very careful when opening e-mail attachments from unknown senders, installing all operating system updates, keeping all your apps updated, and making sure that you have an AntiMalware solution which can detect and block ransomware.