Cylance vs. GandCrab Ransomware


A new ransomware, GandCrab, aims to pinch your data and extort you for its return. This malware was first identified in late January of 2018. It is distributed by two known exploit kits, GrandSoft EK and RIG EK, in what may be an A/B test of delivery mechanisms. If successful, GandCrab will encrypt selected files on the host system and append those files with a GDCB suffix.

Why is GandCrab Important and Why Should I Be Concerned?

GandCrab is ransomware. It encrypts files then extorts the rightful owner to regain access to their data. A victim of GandCrab will lose:

  • Time recovering encrypted information
  • Money, should they opt to pay the ransom
  • Possibly the encrypted data

This malware is also new, which means it may be evolving towards greater sophistication. There are reports of GandCrab being marketed and sold as Ransomware-as-a-Service (RaaS) on hacking forums. 

Its distribution by multiple exploit kits suggests the malware’s author(s) may still be searching for a way to achieve optimal effectiveness. It is also the first known ransomware to use the identity-protecting Dash cryptocurrency instead of BitCoin or other popular alternatives.

Figure 1: Files appended with a GDCB suffix

There is no known method of decrypting lost files using third-party solutions. Instructions for paying the ransom are found in the GDCB-DECRYPT.txt file which is deposited in various locations on the host system.

The instructions read:

Figure 2: GandCrab ransom note

Paying ransom requires the victim to shell out an unspecified amount of Dash cryptocurrency for promised (but not verified) file decryption. Restoring the encrypted files from a recent backup remains a viable workaround. The best option, of course, is to prevent the malware from executing altogether.

Cylance Stops GandCrab

Our customers will be pleased to hear that CylancePROTECT® can identify and stop (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Blog. Read the original post at: