Threat Management, Malware, Ransomware

Researchers uncover Russian dark web ad for new GandCrab ransomware-as-a-service

Share

Researchers investigating the newly discovered GandCrab ransomware have learned how its authors are marketing the malicious program as a ransomware-as-a-service package to potential buyers on the dark web.

On Friday, Australian cybersecurity firm LMNTRIX shared with SC Media its findings, after uncovering a Russian-language advertisement for GandCrab -- an unusual ransomware in that it uses the RIG and GrandSoft exploit kits as a distribution mechanism, demands payment using the cryptocurrency Dash, and employs a server hosted on a .bit domain.

According to LMNTRIX, the ad offers a partner program, whereby members split GandCrab's profits with the developers 60:40. Additionally, large partners are given the opportunity to increase their share to 70 percent. The authors also offer technical support and updates to buyers.

However, there are caveats: Partners must not target countries in the former Soviet Republics that now comprise the Commonwealth of Independent States, or their accounts will be deleted. Furthermore,"Partners must apply to use the ransomware, and there is a limited amount of ‘seats' available," LMNTRIX explained in an email to SC Media.

According to LMNTRIX's English translation of the ad, the authors also tout the ability to manually configure ransom size, individual bots and encryption masks; a "convenient admin panel" located on the TOR network; and the ability to access a victim's page from a regular web browser, "which significantly increases the number of payments." The ad further states that if the victim does not pay on time, the ransom amount automatically doubles.

As an additional selling point, GandCrab's authors also posted an instructional video demonstrating how the ransomware is able to avoid antivirus detection.

Researchers uncover Russian dark web ad for new GandCrab ransomware-as-a-service

Researchers investigating the newly discovered GandCrab ransomware have learned how its authors are marketing the malicious program as a ransomware-as-a-service package to potential buyers on the dark web.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.