Beware: GandCrab Criminals Recruiting Affiliates with RDP/VNC Skills
NEWS

Beware: GandCrab Criminals Recruiting Affiliates with RDP/VNC Skills


According to CrowdStrike researchers, the criminal group behind the infamous GandCrab ransomware is nicknamed Pinchy Spider. The group has been selling access to the ransomware in a partnership program with a limited number of accounts.

It’s curious to note that the program offers a 60-40 split in profits, with 60 percent offered to the customer. However, the gang is willing to negotiate up to a 70-30 split for customers that are considered more “sophisticated”, researchers say.

The newest version of the ransomware, GrandCrab 5.2, released in February came right after a decryption tool for the previous version appeared for victims. In their latest campaigns, the Pinchy Spider gang is looking to increase their profits even more.

Related:
What is GANDCRAB 5.2 virus? How to remove GANDCRAB 5.2 ransomware? How to try and restore files, encrypted by GANDCRAB v5.2 ransomware from your PC?
GANDCRAB 5.2 (v5.2) Ransomware Virus – How to Remove It

Security Researchers Reveal Information about GandCrab’s Operators

CrowdStrike researchers believe that the “development of the ransomware itself has been driven, in part, by PINCHY SPIDER’s interactions with the cybersecurity research community. GandCrab contains multiple references to members of the research community who are both publicly active on social media and have reported on the ransomware”.



In their most recent endeavors, Pinchy Spider criminals have been advertising GandCrab to individuals with remote desktop protocol (RDP) and VNC (Virtual Network Computing) skills, and spam operators who have experience in corporate networking.

The researchers also provided an example of such an advertisement which reads “Spammers, working with landing pages and corporate networking specialists — do not miss your ticket to a better life. We are waiting for you.”

The CrowdStrike Intelligence team first identified new GandCrab ransomware deployment tactics in mid-February. Apparently, a threat actor was detected while performing actions on a victimized host in an attempt to install GandCrab.

Related:
Files shared by CracksNow, a popular uploader of software cracks and keygens, have been infected with GandCrab and other malware.
CracksNow Uploader Banned from Torrent Sites for Spreading GandCrab

Though initially unsuccessful, the threat actor returned later to perform further reconnaissance on the victim network, the report says. On the next day the criminal’s attempts continued as he returned once again and manually removed security software from the host that was preventing the installation of GandCrab.

During the reconnaissance process, the criminal utilized system administration tools such as Sysinternals Process Monitor, Process Hacker, and a file search tool called LAN Search Pro which all helped him with the collection of information from the hosts.

In short, the change in deployment tactics observed in these recent incidents, along with Pinchy Spider’s advertising for individuals with skills in RDP/VNC and experience in corporate networking, point to the fact that the criminal gang and their affiliates are expanding to adopt big game hunting tactics, the researchers concluded.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...