ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool GandCrab

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: GandCrab

NamesGandCrab
GrandCrab
CategoryMalware
TypeRansomware, Big Game Hunting
Description(VirusTotal) The GandCrab ransomware, which is no longer active, was actively distributed for a little over a year. GandCrab variants caused a great deal of damage worldwide, including in South Korea.

The GandCrab ransomware shares an interesting history with AhnLab. Like many other examples of ransomware, GandCrab searches for any running or pre-installed anti‑malware program and when it finds one it interferes with its normal execution and shuts it down. However, when it came to AhnLab, GandCrab went the extra mile, specifically targeting the company and its anti-malware program V3 Lite by mentioning it in its code. It even revealed a vulnerability in the security program and made attempts to delete it entirely.

To effectively respond to and protect against GandCrab attacks, the AhnLab Security Analysis Team analysed GandCrab and all its different versions by thoroughly investigating the distributed code, encryption method, restoration method, and the evasive method it used to avoid behaviour-based detection. Each time a new attack feature targeting AhnLab and V3 was identified, the company’s product developers promptly addressed it to ensure maximum security.

The interesting conflict between AhnLab and the GandCrab ransomware was widely discussed in the IT security industry. However, the details that were revealed at the time were only the tip of the iceberg, with more details being kept private for reasons of confidentiality.
Information<https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/>
<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/>
<http://asec.ahnlab.com/1145>
<https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/>
<http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/>
<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/>
<https://isc.sans.edu/diary/23417>
<https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html>
<https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html>
<http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf>
<https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/>
<https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom>
<https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/>
<https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/>
<https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab>
AlienVault OTX<https://otx.alienvault.com/browse/pulses?q=tag:GandCrab>
Playbook<https://www.nomoreransom.org/uploads/GANDCRAB%20RANSOMWARE%20DECRYPTION%20TOOL%20(002).pdf>

Last change to this tool card: 24 April 2021

Download this tool card in JSON format

All groups using tool GandCrab

ChangedNameCountryObserved

APT groups

 Pinchy Spider, Gold SouthfieldRussia2018-Jul 2021 HOTX

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key