GandCrab features distribution methodology and ransom currency choices that might be pointers as to how ransomware will evolve in 2018
GandCrab is distributed using two exploit kits, namely RIG EK and GrandSoft EK. Researchers at Malwarebytes Labs call this out as surprising, as other than the Magnitude EK kit which is known to push one particular ransomware attack (Magniber) the typical kit payload has been anything but ransomware of late. Then there’s the fact that GandCrab has opted not to ask for a ransom paid in Bitcoin, instead looking for payment using the Dash cryptocurrency.
So, just how unusual is it for an exploit kit, let alone two, to be distributing ransomware in 2018? Paolo Passeri, a solutions architect at Netskope, reckons the last examples of exploit kits pushing ransomware date back to the end of last year with Matrix and Princess. “It’s interesting to notice that RIG is involved for both of these” he says “whereas GrandSoft is a blast from the past, first appearing in 2012 and it was thought that it had disappeared.” Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that while some exploit kits such as Terror or Magnitude are still being occasionally used to deliver ransomware, these campaigns are usually highly targeted at specific regions. “Booby-trapped email attachments and macros within documents have become the new norm in disseminating ransomware” Arsene concludes “as they can affect a significantly larger pool of victims.”