 |
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
|
สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์ Electronic Transactions Development Agency |
Tool: GandCrab| Names | GandCrab GrandCrab | |
| Category | Malware | |
| Type | Ransomware, Big Game Hunting | |
| Description | (VirusTotal) The GandCrab ransomware, which is no longer active, was actively distributed for a little over a year. GandCrab variants caused a great deal of damage worldwide, including in South Korea. The GandCrab ransomware shares an interesting history with AhnLab. Like many other examples of ransomware, GandCrab searches for any running or pre-installed anti‑malware program and when it finds one it interferes with its normal execution and shuts it down. However, when it came to AhnLab, GandCrab went the extra mile, specifically targeting the company and its anti-malware program V3 Lite by mentioning it in its code. It even revealed a vulnerability in the security program and made attempts to delete it entirely. To effectively respond to and protect against GandCrab attacks, the AhnLab Security Analysis Team analysed GandCrab and all its different versions by thoroughly investigating the distributed code, encryption method, restoration method, and the evasive method it used to avoid behaviour-based detection. Each time a new attack feature targeting AhnLab and V3 was identified, the company’s product developers promptly addressed it to ensure maximum security. The interesting conflict between AhnLab and the GandCrab ransomware was widely discussed in the IT security industry. However, the details that were revealed at the time were only the tip of the iceberg, with more details being kept private for reasons of confidentiality. | |
| Information | <https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/> <https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/> <http://asec.ahnlab.com/1145> <https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/> <http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/> <https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/> <https://isc.sans.edu/diary/23417> <https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html> <https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html> <http://csecybsec.com/download/zlab/20181001_CSE_GandCrabv5.pdf> <https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/> <https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom> <https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/> <https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/> <https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/> | |
| Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab> | |
| AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:GandCrab> | |
| Playbook | <https://www.nomoreransom.org/uploads/GANDCRAB%20RANSOMWARE%20DECRYPTION%20TOOL%20(002).pdf> | |
Last change to this tool card: 25 April 2021
Download this tool card in JSON format
| Changed | Name | Country | Observed | ||
APT groups | |||||
| Pinchy Spider, Gold Southfield |  | 2018-May 2024 |  | ||
1 group listed (1 APT, 0 other, 0 unknown)
|
Digital Service Security Center Follow us on
|
Report incidents |
|
 |
+66 (0)2-123-1227 | |
 |
[email protected] | |