GrandCrab – RansonWare Overview

Right after the footsteps of ransomware such as WannaCry and Petya, GandCrab ransomware made havoc in just the first weeks of 2018 as money-snatching crab loitering on the web. With the plan of joining the discussion board of illegal hacking, GandCrab ransomware grew to become one of the widely-distributed trojans.

Later, the South Korean security vendor AhnLab released a patch for the ransomware and kept the victims from spending hundreds of thousands of dollars on ransoms. After the patch was released, the owner of the GandCrab ransomware had warned them about the future version of the trojan as a retaliation towards the AhnLab’s patch. As per the reports, the new ransomware may possibly consist of zero-day attacks, exploits that are not discovered by the general or known by the general public, for the AhnLab v3 Lite antivirus.

But what exactly is GandCrab ransomware and how does it have an effect on our computers? In this post, we will focus on the GandCrab ransomware and analyze it while covering the methods of avoiding getting infected yourself

How Does It Work?

Once the ransomware gets ran, either by manually clicking on it or having a script autorun it, on the victim’s system, it immediately takes the victim towards the GrandSoft EK website or to Rig Exploit Kit page. From here, the GandCrab ransomware controls of the victim’s PC and starts encrypting every folder and files on it.

As soon as the ransomware runs on the machine, it gathers each and every sensitive and personal information and data of the user to intimidate them. Information about passwords, username, keyboard type, Windows version, etc. is gathered towards forcing the victim to pay a ransom.

Before encryption of the files, the ransomware uses built-in crypto functions to create private and public keys used to encrypt the files of the victims. These keys are then sent towards one of the ransomware servers together with all the sensitive data about the victim’s PC.

In the last stages, the ransomware begins encrypting all the files using the public key generated earlier. It adds “.GDCB” extension at the end of every document which was encrypted. Once the encryption is done, it generates a “GDCB-DECRYPT.txt” file with a message which basically demends for a ransom to decrypt the files.

How Does It Spread?

From the information we gathered, the ransomware spreads via compromised websites, emails or advertisements. However, experts have managed to find two sources:

  1. Files and JavaScript attachments inside of emails
  2. Use of exploit kits for Drive-by download

Past Versions

GandCrab v1

The very first version of this ransomware was uncovered during January 2018 by a security researcher known as David Montenegro. The GandCrab payload shows standard ransomware behaviour, where it encrypts the victim’s information with a public and private key generated on the go. The key stays exclusive to each and every victim and the owner would send ransom messages alongside the infromation on how to pay the amount in exchange for the key. The trojan spreaded like a wildfire, during this period, the only payment accepted were DASH. Shortly, they started accepting Bitcoin too since it was easier for victims to buy them

GandCrab v2

After the decryptor was introduced for GandCrab v1, the following attack was launched during 5th March 2018. This version of the ransomware was much more effective which made the existing decrypter released to be useless. Additionally, the trojan also released a new and much better safe-guard by using a diversed hardcoded domain. On top of that, the they created a DLL which was used to attack the kernel-mode components of some Antivirus softwares.

Other than that, every single ransom message had a version number and, each payload had an additional “internal version” number. There was another version which was known as the payload version, this was used to connect to the network and every version was different from each other

GandCrab v3

This was the next release which was discovered during April 23, 2018. Not much information was really discovered from this version, and there wasn’t much difference between version 3 and version 2. After awhile, around May 9, v3.0.1 was released

GandCrab v4

Around July 1st, 2018, the latest version of GandCrab ransomware version 4.0.0 was released and on July 5th, an updated v4.1 version was released. This version of the ransomware includes some notable capabilities which were discovered. It replaced most of the existing codes, and it started using a much faster encryption algorithm that encrypted files at a much faster rate and then abruptly deletes itself from the system to prevent detection.


Adopting some good computing habits and making sure you keep your anti-virus updated. Always keeping backup of your important files to offline devices such as a portable hard drive or other similar offline storage that you can use to restore any lost files. Something that should be considered is that most miners or other spywares tend to only run when the system is idle. So keep an eye on your system performance or CPU usage when idle should be done every now and then

The ransomware is also noted to not infect machines which are from Russia, which tells us that the creator of the ransomware could be from Russia.

So, this is it, the end. Ransomware has seen a recent peek on development due to the infamous WannaCry and how deathly it was. Many victims also fell for the ransom and many had paid thousands to satisfy the ransom for the hopes of receiving their files. If you ever find yourself in that situation, it would be better to re-install everything and contact a professional. Most often than not, ransomware builders would not even bother to decrypt the files after payment.

Leave a Reply