Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
The arms race between cybercriminals and cybersecurity warriors is increasing at an enormous speed. Malware authors immediately react on any detected and neutralized malware with new, more sophisticated samples to bypass the freshest antimalware products. GandCrab is a bright representative of such new-generation malware.
First discovered in January 2018, this sophisticated, cunning and constantly changing ransomware has already four versions significantly distinguishing from each other. Cybercriminals constantly added new features for harder encryption and avoiding detection. The last sample Comodo malware analysts discovered has something brand-new: it utilizes Tiny Encryption Algorithm (TEA) to avoid detection.
Analyzing GandCrab is useful not as an exploration of a particular new malware, throughout some researchers called it a “New King of ransomware”. It’s a clear example of how modern malware readjusts to the new cybersecurity environment. So, let’s go deeper into the GandCrab’s evolution.
The first version of GandCrab, discovered on January 2018, encrypted users’ files with a unique key and extorted a ransom in DASH crypto-currency. The version was distributed via exploit kits such as RIG EK and GrandSoft EK. The ransomware copied itself into the“%appdata%\Microsoft” folder and injected to the system process nslookup.exe.
It made the initial connection to pv4bot.whatismyipaddress.com to find out the public IP of the infected machine, and then run the nslookup process to connect to the network gandcrab.bit a.dnspod.com using the “.bit” top-level domain.
This version quickly spread in the cyberspace but its triumph was stopped at the end of February: a decryptor was created and placed online, thus letting victims decrypt their files without paying a ransom to the perpetrators.
The cybercriminals did not stay long with the answer: in a week, the GandCrab version 2 hit the users. It had a new encryption algorithm making the decryptor useless. The encrypted files had .CRAB extension and hardcoded domains changed to ransomware.bit and zonealarm.bit. This version was propagated via spam emails in March.
The next version came up in April with new ability to change a victim’s desktop wallpapers to a ransom note. Constant switching between desktop and the ransom banner was definitely aimed to exert more psychological pressure on the victims. Another new feature was RunOnce autorun registry key:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\whtsxydcvmtC:\Documents and Settings\Administrator\Application Data\Microsoft\yrtbsc.exe
Finally, new, the fourth version of Gandcrab v4 has come up in July with a variety of significant updates, including a new encryption algorithm. As Comodo analyst discovered, the malware now uses Tiny Encryption Algorithm (TEA) to avoid detection — one of the fastest and efficient cryptographic algorithms developed by David Wheeler and Roger Needham on the symmetric encryption base.
Also, all encrypted files now have an extension .KRAB instead of CRAB.
In addition, the cybercriminals changed the way of the ransomware dissemination. Now it’s spread through fake software crack sites. Once a user downloads and runs such “stuffing” crack, the ransomware drops on the computer.
Here is an example of such fake software crack. Crack_Merging_Image_to_PDF.exe, in reality, is GandCrab v4.
Let’s see in details what will happen if a user runs this file.
Under the hood
As mentioned above, the GandCrab ransomware uses strong and fast TEA encryption algorithm to avoid detection. Decryption routine function gets the GandCrab plain file.
After the decryption is complete, the original GandCrab v4 file drops and runs, starting the killing raid.
Firstly, the ransomware checks the list of the following processes with CreateToolhelp32Snapshot API and terminate any of them running:
Then ransomware checks for a keyboard layout. If it occurs to be Russian, GandCrab terminates the execution immediately.
Generating URL Process
Significantly, GandCrab uses a specific random algorithm to generate URL for each host. This algorithm are based on the following pattern:
The malware consistently creates all elements of the pattern, resulting in a unique URL.
You can see the URL created by malware on in the right column.
GandCrab collects the following information from the infected machine:
Then it checks for an antivirus running…
… and gathers the information about the system. After that, it encrypts all collected information with XOR and sends it to the Command-and-Control server. Significantly, it uses for encryption “jopochlen” key string that is an obscene language in Russian. That’s one more clear sign of Russian origination of the malware.
The ransomware generates private and public keys using Microsoft Cryptographic Provider and the following APIs:
Before starting the encryption process, the malware checks for some files…
… and folders to skip them during encryption:
These files and folders are necessary for the ransomware to function properly. After that, GandCrab begins encrypting the victim’s files.
When the encryption is over, GandCrab opens a KRAB-DECRYPT.txt file that is the ransom note:
If the victim follows the perpetrators’ instructions and goes to their TOR site, she’ll find the ransom banner with the counter:
The payment page contents detailed instruction on how to pay the ransom.
Comodo cybersecurity research team has traced the GandCrab communication IPs. Below is top-ten countries from this IPs list.
GandCrab hit users all over the world. Here is the list of top-ten countries affected by the malware.
“This finding of our analysts clearly demonstrate that malware swiftly changes and evolves in its rapidity of adaptation to cybersecurity vendors’ countermeasures”, comments Fatih Orhan, The Head of Comodo Threat Research Labs. “Obviously, we are at the edge of the time when all processes in the cybersecurity field are intensely catalyzing. Malware is quickly growing not only in quantity but also in its ability to mimic instantly. In Comodo Cybersecurity First Quarter 2018 Threat Report, we predicted that downsizing of ransomware was just a redeployment of forces and we’ll face with updated and more complicated samples in the nearest future. The appearance of GandCrab clearly confirms and demonstrate this trend. Thus, cybersecurity market should be ready to face with upcoming waves of attacks loaded with brand-new ransomware types.”
Live secure with Comodo!
Reading Time: 4 minutes Increased dependency on computers and access to data makes an organization more vulnerable to cybersecurity threats. With the increase in cyber-criminals and cyber-attacks, many companies today are looking for greater protection of their decentralized computing work environments from their Managed Service Providers (MSPs). As a result, MSPs need to deliver firewall solutions that are designed…
Reading Time: 3 minutes Rapid technological growth and increasing digitalization in all aspects of life around the world have increased the value of ensuring cyber-security at all levels. This is increasingly true for EU member states and the organizations that are based in or operate from these countries. The number of cyber-attacks targeting EU member states has risen. The…
Reading Time: 3 minutes Disruptions are often unforeseen. This could be a catastrophic event like a hurricane, a fire, or an earthquake. Disruptions, however, can also come in other forms such as that of a pandemic. This means that a building doesn’t necessarily have to be demolished or lives have to be lost for an unforeseen event to completely…
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats