New RaaS Sold On Hacking Forums Via Two Exploit Kits
There are reports of a recently-released kind of ransomware that’s being sold ‘as a service’ on hacking forums, distributed via two different exploit kits. The two exploits, named GandCrab and GrandSoft, help cyber criminals get tools that they need to carry out their “business”.
ZDNet reports- “GandCrab first emerged in January and was found to be distributed by the RIG exploit kit and GrandSoft exploit kit, two sets of tools which provide attackers with all the tools they need to exploit vulnerabilities to deliver malware.” The ZDNet report, authored by Senior Reporter Danny Palmer, points out that though usually such exploit kits are used to distribute coin-miners, Trojans etc, not they are being effectively used to deliver this form of ransomware as well.
A notable thing about GandCrab is that it’s now being advertised online, on a Russian hacking forum, says the ZDNet report, quoting Flashpoint researchers. The report says- “Those behind GandCrab aren’t keeping their tools to themselves. Researchers at Flashpoint have described to ZDNet how the ransomware being advertised on what’s described as a ‘top-tier Russian hacking forum’…A translation of a post made on the forum offers would-be crims a ‘partnership program’ for the ransomware, with the creators taking up to 60 percent of the ransom fees paid to their clients. However, successful crooks could earn up to 70 percent of the ransom payments for themselves…In exchange for taking a cut of the profits, GandCrab’s authors offer their users support and updates for the ransomware — including, if necessary, offering step-by-step instructions via the use of a ticketing system and other features associated with legitimate, rather than criminal, software. It’s all to make the ransomware as easy as possible to distribute and use.”
GandCrab, as per reports, is a ransomware that offers customization options. The person who’s using GandCrab can manually or automatically alter the ransom payment. This can be done based on the geographical location; that helps plan things accordingly and ensure better payment prospects. The user of the ransomware can also change the file extensions of the files that are to be encrypted.
Once GandCrab infects a system, it functions like any other ransomware and encrypts files to demand a ransom. An interesting aspect is that unlike most ransomware GandCrab doesn’t opt for Bitcoin payment; it opts for a rather lesser known cryptocurrency- Dash. There could be reasons, according to experts. The ZDNet report says- “While that’s likely, at least partially, down to volatility and hype around bitcoin slowing down transactions, Dash also offers increased privacy compared to bitcoin.”
The people behind GandCrab, however, instruct buyers explicitly not to target Russia or any other country in the Commonwealth of Independent States of former Soviet Republics.
For the users, the best way to protect themselves against GandCrab would be to ensure that they update their software, especially Internet Explorer and Flash Player; the ransomware uses known vulnerabilities in Internet Explorer and Flash Player to launch attacks.
Julia Sowells412 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.