GandCrab Ransomware

First observed in January 2017, GandCrab is a ransomware trojan delivered by a number of exploit kits including RIG, as well as by the Necurs botnet.

Once installed, GandCrab creates a registry entry so that it runs at start-up before collecting the information on the user and device. It will also check for the presence of anti-virus applications.

This is done through a series of malicious documents that ultimately install the ransomware via a PowerShell script.

Files are encrypted using the RSA algorithm, with the public and private keys generated using API calls to standard Microsoft libraries. The ransom note demands payment in Dash, a less widely used cryptocurrency.

More details here.

Affected Platforms

Microsoft Windows – All versions

Leave a Reply