Sophos published a SophosLabs Uncut report about the widely disseminated malware, Gandcrab.
The ransomware is, for the moment, the most prolific ransomware in circulation. In many ways, its operation is very similar to other ransomware, but its ransomware-as-a-service business model seems to have propelled it forward.
GandCrab appeared just over a year ago, promoted on public websites but sold exclusively through the dark web. Since then, the ransomware has developed a large pool of customers, and an unfortunately large pool of victims as well.
The ransomware may owe some of its early success to its unique software licensing scheme. For $100, neophyte ransomware crime lords could build a criminal fiefdom of up to 200 victims in a two month period, working their way up to earning enough to afford more premium-rate services and features.
In essence, the GandCrab creators provide a criminal franchise system. The business model for GandCrab gives the franchisee the option of choosing their ransom amount, among other features. Some victims report ransoms as low as $300 but they can run an order of magnitude higher.
Initially delivered via RIG exploit kit, once licensees began using the ransomware, they chose whatever distribution method suited them best. By a month later, malicious spam began to appear with malicious office documents that, when opened, delivered GandCrab to victims. The malware itself uses a deviously clever fileless approach to execute itself and encrypt the victim’s files. It has an effective countermeasure to traditional antivirus software, which would not be able to detect or clean the (conspicuously absent) malicious file.
For a more detailed report, please go to SophosLabs Uncut. Sophos leverages on-demand curated threat intelligence from SophosLabs and machine learning to rapidly detect, prioritize, investigate and respond to incidents. With Sophos Synchronized Security, companies can better manage and defend their network thanks to integration between endpoint and network solutions. The latest releases of XG Firewall and Intercept X with EDR are now available on Sophos Central’s cloud management platform.
