GandCrab ransomware operators team up with crypter service

The hacking agreement could result in the ransomware strain becoming more difficult to spot and analyze in the future.
Written by Charlie Osborne, Contributing Writer

The GandCrab ransomware variant has been paired up with a crypter service to further enhance the malware's stealth capabilities.

The malware has undergone a number of evolutions of late and the authors behind GandCrab appear to be constantly seeking out ways to enhance the malware's code since its formation in January this year.

GandCrab attempts to infect systems via poorly-secured remote desktop applications, exploit kits, phishing, botnets, and PowerShell scripts. The malware usually comes as a package and is considered by many as a ransomware-as-a-service offering.

The ransomware has already claimed thousands of victims worldwide. Once a system has been infected, GandCrab encrypts and locks files and demands a payment of anything from a few hundred to several thousand dollars.

Last month, researchers found that the fourth version of the malware was being delivered via the Phorpiex worm in order to infect enterprise networks and propagate via USB drives, removable storage, and spam.

CNET: US takes aim at Russian hackers who infected over 500,000 routers

Version five, which was only released in September, has given operators the choice to demand payment in either the Dash or Bitcoin cryptocurrencies.

TechRepublic: How the malware landscape is evolving

GandCrab is now on version 5.0.2 and while constantly in development still does contain bugs and programming errors which security researchers can exploit to develop signatures and decryption services for victims.

It appears that the GandCrab developers, however, are keen to plug these security holes and make the task of reverse-engineering the malware more difficult.

According to researchers Alexandre Mundo, John Fokker and Thomas Roccia from cybersecurity firm McAfee, GandCrab, perhaps due to its cult status in underground forums, has managed to team up with a crypter service.

In a blog post, the researchers said that "the speed of change is impressive and increases the difficulty of combating it."

Read on: A question of security: What is obfuscation and how does it work?

Crypters are often a key component of obfuscation. Rather than change the signature of malware itself, obfuscation aims to use different delivery methods to circumvent antivirus protections.

While packers, instruction changes, and the introduction of dead code are all part-and-parcel of obfuscation, crypters are also used to encrypt elements of malware -- or the whole package -- to bar access to signatures.

NTCrypt is the service chosen to bolster GandCrab's capabilities following an aggressive marketing scheme and competition launched by GandCrab developers to find a partner.

The crypter is described as online as "a fully NT-based crypter with a unique injection method that will guarantee a high execution rate, unlike other crypters that rely on traditional and overused methods to achieve payload execution."

The software is on offer for between $950 and $1,600.

See also: Phorpiex worm pivots to infect the enterprise with GandCrab ransomware

In order to drum up excitement in the announcement, the NTCrypt-GandCrab partnership has offered a discount to cybercriminals signing up for the service.

"This novel approach emphasizes once more the cult status GandCrab has in the underground community," McAfee says. "For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors."

Ransomware is incredibly popular with cybercriminals due to the possibility of high returns, especially as many victims will pay up to retrieve locked and encrypted files.

The operators of the SamSam ransomware are earning $300,000 a month, while Cerber developers have managed to earn an estimated $195,000 in only a month through such malware.

For as long as this particular form of malware has the capability to make its operators a fortune in fraudulent income, we are likely to see more and more cybercriminals bringing new forms of ransomware to the market.

Simple steps to erase your digital footprint

Previous and related coverage

Editorial standards