 |
| Sophos Warns Against Notorious Ransomware GandCrab |
In the recently published SophosLabs Uncut report, the company revealed that the ransomware, which appeared just over a year ago, has become popular among cybercriminals due to its unique software licensing scheme.
GandCrab uses a ransomware-as-a-service business model to attract a large pool of customers through the dark web. Unfortunately, this also means a large pool of victims.
The ransomware may owe some of its early success to its unique software licensing scheme. For USD100 (around Php5,000), neophyte ransomware crime lords could build a criminal fiefdom of up to 200 victims in a two month period, working their way up to earning enough to afford more premium-rate services and features.
See Also: Sophos Threat Report 2019 Reveals Cybercriminals Outsmarting Antivirus Solutions
In essence, the GandCrab creators provide a criminal franchise system. The business model for GandCrab gives the franchisee the option of choosing their ransom amount, among other features. Some victims report ransoms as low as USD300 (around Php15,000) but they can run an order of magnitude higher.
Initially delivered via RIG exploit kit, once licensees began using the ransomware, they chose whatever distribution method suited them best. By a month later, malicious spam began to appear with malicious office documents that, when opened, delivered GandCrab to victims.
The malware itself uses a deviously clever fileless approach to execute itself and encrypt the victim’s files. It has an effective countermeasure to traditional antivirus software, which would not be able to detect or clean the (conspicuously absent) malicious file.