Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
The arms race between cybercriminals and cybersecurity warriors is increasing at an enormous speed. Malware authors immediately react on any detected and neutralized malware with new, more sophisticated samples to bypass the freshest antimalware products. GandCrab is a bright representative of such new-generation malware.
First discovered in January 2018, this sophisticated, cunning and constantly changing ransomware has already four versions significantly distinguishing from each other. Cybercriminals constantly added new features for harder encryption and avoiding detection. The last sample Comodo malware analysts discovered has something brand-new: it utilizes Tiny Encryption Algorithm (TEA) to avoid detection.
Analyzing GandCrab is useful not as an exploration of a particular new malware, throughout some researchers called it a “New King of ransomware”. It’s a clear example of how modern malware readjusts to the new cybersecurity environment. So, let’s go deeper into the GandCrab’s evolution.
The first version of GandCrab, discovered on January 2018, encrypted users’ files with a unique key and extorted a ransom in DASH crypto-currency. The version was distributed via exploit kits such as RIG EK and GrandSoft EK. The ransomware copied itself into the“%appdata%\Microsoft” folder and injected to the system process nslookup.exe.
It made the initial connection to pv4bot.whatismyipaddress.com to find out the public IP of the infected machine, and then run the nslookup process to connect to the network gandcrab.bit a.dnspod.com using the “.bit” top-level domain.
This version quickly spread in the cyberspace but its triumph was stopped at the end of February: a decryptor was created and placed online, thus letting victims decrypt their files without paying a ransom to the perpetrators.
The cybercriminals did not stay long with the answer: in a week, the GandCrab version 2 hit the users. It had a new encryption algorithm making the decryptor useless. The encrypted files had .CRAB extension and hardcoded domains changed to ransomware.bit and zonealarm.bit. This version was propagated via spam emails in March.
The next version came up in April with new ability to change a victim’s desktop wallpapers to a ransom note. Constant switching between desktop and the ransom banner was definitely aimed to exert more psychological pressure on the victims. Another new feature was RunOnce autorun registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whtsxydcvmtC:\Documents and Settings\Administrator\Application Data\Microsoft\yrtbsc.exe
Finally, new, the fourth version of Gandcrab v4 has come up in July with a variety of significant updates, including a new encryption algorithm. As Comodo analyst discovered, the malware now uses Tiny Encryption Algorithm (TEA) to avoid detection — one of the fastest and efficient cryptographic algorithms developed by David Wheeler and Roger Needham on the symmetric encryption base.
Also, all encrypted files now have an extension .KRAB instead of CRAB.
In addition, the cybercriminals changed the way of the ransomware dissemination. Now it’s spread through fake software crack sites. Once a user downloads and runs such “stuffing” crack, the ransomware drops on the computer.
Here is an example of such fake software crack. Crack_Merging_Image_to_PDF.exe, in reality, is GandCrab v4.
Let’s see in details what will happen if a user runs this file.
Under the hood
As mentioned above, the GandCrab ransomware uses strong and fast TEA encryption algorithm to avoid detection. Decryption routine function gets the GandCrab plain file.
After the decryption is complete, the original GandCrab v4 file drops and runs, starting the killing raid.
Firstly, the ransomware checks the list of the following processes with CreateToolhelp32Snapshot API and terminate any of them running:
Then ransomware checks for a keyboard layout. If it occurs to be Russian, GandCrab terminates the execution immediately.
Generating URL Process
Significantly, GandCrab uses a specific random algorithm to generate URL for each host. This algorithm are based on the following pattern:
The malware consistently creates all elements of the pattern, resulting in a unique URL.
You can see the URL created by malware on in the right column.
GandCrab collects the following information from the infected machine:
Then it checks for an antivirus running…
… and gathers the information about the system. After that, it encrypts all collected information with XOR and sends it to the Command-and-Control server. Significantly, it uses for encryption “jopochlen” key string that is an obscene language in Russian. That’s one more clear sign of Russian origination of the malware.
The ransomware generates private and public keys using Microsoft Cryptographic Provider and the following APIs:
Before starting the encryption process, the malware checks for some files…
… and folders to skip them during encryption:
These files and folders are necessary for the ransomware to function properly. After that, GandCrab begins encrypting the victim’s files.
When the encryption is over, GandCrab opens a KRAB-DECRYPT.txt file that is the ransom note:
If the victim follows the perpetrators’ instructions and goes to their TOR site, she’ll find the ransom banner with the counter:
The payment page contents detailed instruction on how to pay the ransom.
Comodo cybersecurity research team has traced the GandCrab communication IPs. Below is top-ten countries from this IPs list.
GandCrab hit users all over the world. Here is the list of top-ten countries affected by the malware.
“This finding of our analysts clearly demonstrate that malware swiftly changes and evolves in its rapidity of adaptation to cybersecurity vendors’ countermeasures”, comments Fatih Orhan, The Head of Comodo Threat Research Labs. “Obviously, we are at the edge of the time when all processes in the cybersecurity field are intensely catalyzing. Malware is quickly growing not only in quantity but also in its ability to mimic instantly. In Comodo Cybersecurity First Quarter 2018 Threat Report, we predicted that downsizing of ransomware was just a redeployment of forces and we’ll face with updated and more complicated samples in the nearest future. The appearance of GandCrab clearly confirms and demonstrate this trend. Thus, cybersecurity market should be ready to face with upcoming waves of attacks loaded with brand-new ransomware types.”
Live secure with Comodo!
Reading Time: 2 minutes Ransomware is a dilemma that we have been facing for quite some time now. However, in 2020, we have seen a significant rise in the total number and variety of ransomware attacks. This latest ransomware boom is most probably the outcome of organized cyber-criminal networks recognizing the revenue-generating potential of this ‘business model’—amounting to over…
Reading Time: 5 minutes Overview One of thefirst times the public witnessedfirsthandand realized the power of ransomware was when WannaCry broke out in 2017. The government, education, hospitals, energy, communications, manufacturing and many other key information infrastructure sectors suffered unprecedented losses.Looking back, thatwas just the beginning, as there have since been many versions, such asSimpleLocker, SamSam and WannaDecryptor for…
Reading Time: 3 minutes Celebrate National Cybersecurity Awareness Month By Learning to Protect Against Ransomware Attacks It’s the season for pumpkin picking, leaves changing color, getting ready for Halloween parties and trick-or-treating. But ghosts and ghouls aren’t the only scary things you’ll be seeing this month: October is also National Cybersecurity Awareness Month, a time when business leaders and…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats