A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.
First discovered by security researcher David Montenegro, researchers quickly jumped in to analyze the ransomware and post their results on Twitter. This article will dive into what has been discovered by myself and other researchers.
Unfortunately, at this time there is no way to decrypt files encrypted by GandCrab for free. This ransomware is being researched, though, and if any new information is released we will be sure to update this article.
For now, if you wish to discuss GandCrab you can this article’s comments section or our dedicated GandCrab Help & Support Topic.
GandCrab being distributed through the Rig exploit kit
According to exploit kit researchers nao_sec and Brad Duncan, GandCrab is currently being distributed through a malvertising campaign called Seamless that then pushes the visitors to the RIG exploit kit. The exploit kit will then attempt to utilize vulnerabilities in the visitor’s software to install GandCrab without their permission.
If the exploit kit is able to install the ransomware, the victim will probably not realize they are infected until it is too late.
GandCrab is the first ransomware to use the Dash Currency
A first for ransomware is GandCrab’s use of the DASH currency as a ransom payment. Most file encrypting ransomware families have exclusively used Bitcoin as the ransom payment method. Lately, some ransomware infections have been moving to Monero and even Ethereum.
This is the first time, though, that we have seen any ransomware ask for DASH as the payment. This is most likely due to DASH being built around privacy and thus harder for law enforcement to track the owners of the coins.
To read the original article: