Ransomware warning: The gang behind this virulent malware just changed tactics again

Researchers say that those behind GandCrab ransomware are now going 'big game hunting' for larger targets - and more money.
Written by Danny Palmer, Senior Writer

The gang behind a family of ransomware that has been active for well over a year now have tweaked their tactics in order to ensure the file-locking malware campaign is as effective as possible.

GandCrab first emerged in January 2018 and has remained one of the most successful forms of ransomware ever since, with those behind it regularly releasing new versions to counter free decryption tools developed by security researchers.

The newest version of the ransomware — GrandCrab 5.2 — was released in February and came just a day before the latest decryptor was released.

Now researchers at Crowdstrike have detailed some of the latest tactics the outfit behind GandCrab — which they refer to as Pinchy Spider — is deploying, signifying something of a shift in its targeting and deployment, with those behind it increasingly looking to compromise larger targets for a bigger payday.

GandCrab operates an affiliate model, with its authors providing the ransomware "as-a-service" to wannabe hackers in exchange for a 30 to 40 percent cut of the profits.

But now researchers have observed adverts for GandCrab being posted on underground forums, specifically targeted at crooks with skills around operating remote desktop protocols, virtual network computing and experience of infiltrating corporate networks.

"Spammers, working with landing pages and corporate networking specialists — do not miss your ticket to a better life. We are waiting for you," reads a translation of the advert.

SEE: 17 tips for protecting Windows computers and Macs from ransomware (free PDF)  

By using remote desktop protocols and stolen credentials, attackers can lay the groundwork for a much larger attack, secretly using their access to move around the network and deploy GandCrab across several hosts before pulling the trigger on the infection.

Now, rather than a handful of machines being encrypted with ransomware, attackers can compromise entire networks — something they look to exploit in order to demand larger ransom payments in exchange for restoring the systems. Crowdstrike refers to this kind of attack technique as "big game hunting".

However, what differentiates the GandCrab gang from others who use this model is how they monitize the attack. Other ransomware attack groups, such as those behind SamSam, request one lump sum payment. But with GandCrab, even network-wide attacks demand payments on a per-PC basis.

No matter how the attackers collect the illicit funds, the campaigns continue to be successful, as organisations give into ransom demands.

"Running successful big game hunting operations results in a higher average profit per victim, allowing adversaries like PINCHY SPIDER and their partners to increase their criminal revenue quickly," wrote Crowdstrike researchers, who've also shared indicators of compromise for GrandCrab on the blog.


Editorial standards