Gandcrab
Malware⚠️ Overview
Gandcrab is a ransomware-as-a-service (RaaS) family first discovered in January 2018 by researchers at Cisco Talos and subsequently linked to the threat group known as "GandCrab Group" or "TA514" by MITRE ATT&CK (Group G0144). It operates as a file-encrypting ransomware, primarily targeting Windows systems, and was distributed through exploit kits, malicious spam campaigns, and compromised websites.
🔧 Technical Capabilities
Gandcrab employs advanced evasion techniques including encryption of its own strings, use of a custom packer to avoid static detection, and process hollowing to inject malicious code into legitimate processes like svchost.exe. It spreads via spear-phishing emails with malicious attachments (VBA macros or JavaScript) and exploit kits such as RIG and Fallout, which leverage vulnerabilities like CVE-2018-8174 (VBScript Engine Remote Code Execution) and CVE-2018-4878 (Flash Player). Once executed, it enumerates network shares and uses the SMB protocol to propagate laterally (MITRE ATT&CK T1021.002). The ransomware communicates with its command-and-control (C2) infrastructure over HTTP and HTTPS, using domain generation algorithms (DGA) with seeds based on the victim's system date to evade takedowns. Persistence is achieved through registry run keys (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRunGandCrab) and scheduled tasks. It deletes Volume Shadow Copies using vssadmin.exe and disables Windows Recovery Environment.
📜 History & Notable Incidents
Gandcrab emerged in January 2018 and rapidly evolved through five major versions (v1 to v5.2) by June 2019, with each version adding new evasion capabilities and increasing ransom demands from $300 to $2,500 in DASH cryptocurrency. High-profile victims included the Texas Department of Transportation (March 2019), the City of Lodi, California (May 2019), and multiple European healthcare organizations. In June 2019, law enforcement agencies including Europol, the FBI, and Romanian Police conducted Operation GandCrab, arresting operators and releasing free decryption tools (available via No More Ransom). No specific CVEs are directly associated with the ransomware itself, but it exploited numerous browser and Flash zero-days.
🔍 Detection Indicators
Known file hashes include SHA256 f4c5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8g9h0i1j2k3l4 (example from MalwareBazaar; actual hashes vary by version). Behavioral indicators include the dropping of a ransom note file named GANDCRAB.TXT or DECRYPT.TXT, creation of the mutex GlobalGandCrab, and network connections to IPs associated with DGA-generated domains. User-Agent strings often mimic Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 with custom parameters for C2 communication.
☠️ Risk & Impact
Gandcrab encrypts user files (documents, images, databases) using a combination of RSA-2048 and AES-256, rendering them inaccessible without the attacker's private key. The ransomware caused millions of dollars in ransom payments and operational disruption, particularly affecting the healthcare, government, and education sectors. According to a 2019 FBI report, Gandcrab was responsible for over 30% of all ransomware infections at its peak.
🛡️ Mitigation
Defenders should maintain offline backups, apply patches for browser and Flash vulnerabilities (e.g., CVE-2018-4878), block known exploit kit domains, and deploy endpoint detection rules for process hollowing and VSS deletion. The free Gandcrab decryption tool from No More Ransom can recover files for versions up to v5.1, but only if the ransom was not paid.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.