You are currently viewing GandCrab ransomware operators team up with crypter service

GandCrab ransomware operators team up with crypter service

The GandCrab ransomware variant has been paired up with a crypter service to further enhance the malware’s stealth capabilities. 

How do you protect your and your clients’ files from ransomware attacks? Do you have a backup plan to decrease the risk of losing your important files?

In case of a ransomware attack, SkyFlok has a backup plan for our customers. You can recover in no time as we keep all previous versions of your files. If you use our webapp as a main form of interaction to your and your client’s data, then a local ransomware attack on your computer would not compromise your files or your productivity.

The GandCrab ransomware variant has been paired up with a crypter service to further enhance the malware’s stealth capabilities.

The malware has undergone a number of evolutions of late and the authors behind GandCrab appear to be constantly seeking out ways to enhance the malware’s code since its formation in January this year.

GandCrab attempts to infect systems via poorly-secured remote desktop applications, exploit kits, phishing, botnets, and PowerShell scripts. The malware usually comes as a package and is considered by many as a ransomware-as-a-service offering.

The ransomware has already claimed thousands of victims worldwide. Once a system has been infected, GandCrab encrypts and locks files and demands a payment of anything from a few hundred to several thousand dollars.

Last month, researchers found that the fourth version of the malware was being delivered via the Phorpiex worm in order to infect enterprise networks and propagate via USB drives, removable storage, and spam.

Version five, which was only released in September, has given operators the choice to demand payment in either the Dash or Bitcoin cryptocurrencies.

GandCrab is now on version 5.0.2 and while constantly in development still does contain bugs and programming errors which security researchers can exploit to develop signatures and decryption services for victims.

It appears that the GandCrab developers, however, are keen to plug these security holes and make the task of reverse-engineering the malware more difficult.

According to researchers Alexandre Mundo, John Fokker and Thomas Roccia from cybersecurity firm McAfee, GandCrab, perhaps due to its cult status in underground forums, has managed to team up with a crypter service.

In a blog post, the researchers said that “the speed of change is impressive and increases the difficulty of combating it.”

Crypters are often a key component of obfuscation. Rather than change the signature of malware itself, obfuscation aims to use different delivery methods to circumvent antivirus protections.

While packers, instruction changes, and the introduction of dead code are all part-and-parcel of obfuscation, crypters are also used to encrypt elements of malware — or the whole package — to bar access to signatures.

NTCrypt is the service chosen to bolster GandCrab’s capabilities following an aggressive marketing scheme and competition launched by GandCrab developers to find a partner.

The crypter is described as online as “a fully NT-based crypter with a unique injection method that will guarantee a high execution rate, unlike other crypters that rely on traditional and overused methods to achieve payload execution.”

The software is on offer for between $950 and $1,600.

In order to drum up excitement in the announcement, the NTCrypt-GandCrab partnership has offered a discount to cybercriminals signing up for the service.

“This novel approach emphasizes once more the cult status GandCrab has in the underground community,” McAfee says. “For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors.”

Ransomware is incredibly popular with cybercriminals due to the possibility of high returns, especially as many victims will pay up to retrieve locked and encrypted files.

The operators of the SamSam ransomware are earning $300,000 a month, while Cerber developers have managed to earn an estimated $195,000 in only a month through such malware.

For as long as this particular form of malware has the capability to make its operators a fortune in fraudulent income, we are likely to see more and more cybercriminals bringing new forms of ransomware to the market.


Or go back to

Daniel Lucani

PhD at MIT. Author of 8 patents and applications on network coding. Tech expert 12+ years experience.