How GandCrab Attacks Showcase Ransomware Evolution

These days no one is surprised to hear about ransomware infections, and it took this type of malware around five years to become the new norm. Before that, our main opponents in the cyber battlefield were Trojans, rogue antispyware, worms, and other “old type” infections. Technically, ransomware doesn’t drift far from what some users may understand as “regular” malware, but the attack point is entirely different. The damage ransomware programs can inflict is far bigger than we have known before, and they target something that is of vital importance in the cyber world: our data.

We will use this entry to discuss the early evolutionary stages of ransomware infections, and then we will go on to look at how they become one of the biggest security risks businesses face today. We believe that education and prevention are the best methods that can be used in this battle against ransomware because once this type of program enters a target system, it is very likely that it will lock up the sensitive data.

When Ransomware Emerges

According to various sources the first encrypting ransomware application is thought to be the CryptoLocker Trojan. It first appeared in 2013, and it was taken out in July 2014. Ever since then, we have witnessed many other types of ransomware infections to come out in the open. The rise in ransomware infections has been steady since 2014, when big attacks by high-profile programs were quite common. It wouldn’t be too far-fetched to say that the culmination of the high-profile attacks must’ve been 2017, when computers in 99 countries were infected by the so-called WannaCry Ransomware.

Since then, no other ransomware program has made as many headlines, but it doesn’t mean that the infection rate has declined. The nature of ransomware infections has changed because there are multiple “small” infections out there that infect private and corporate users almost every day. Some of those programs are underdeveloped and they cannot even encrypt target files (this happens when the ransomware creators are testing something). Some programs may encrypt the files, but they do not have the means to accept the ransom payment. But even if these attacks seem to be all over the place, they can still inflict significant damage.

According to the Bache attack report released by Lloyds, a cyber-attack that is launched through an infected mail and encrypts data on nearly 30 million devices worldwide within 24 could cost up to $193bn and affect more than 600,000 businesses worldwide. In other words, one successful attack could take down multiple computer systems around the globe, and it would cost a staggering amount of money to fix everything.

It also shows that ransomware attacks often target businesses, and individual users may not be their main prey. In fact, it is common for ransomware programs to attack smaller businesses because they are less likely to have invested in cybersecurity. They are also less likely to have backups of their data outside of their systems. And consequently, because they do not have copies of their files backed up, they are more likely to pay the ransom. This makes for a perfect target.

The Change in Ransomware Distribution

Previously, ransomware distribution was rather random. The most common distribution method has been and still is spam email, but if before the ransomware infection rate seemed to be bigger, it was because the spam email campaigns were used to distribute these infections literally anywhere. Nowadays, however, ransomware attack rate has dropped by 91%, but it just means that it dropped in quantity, not in quality.

Criminals behind these attacks aim to target particular companies that are more likely to pay the ransom fee. In fact, some reports say that multiple organizations stockpiled cryptocurrency over the last year, and cryptocurrency is used to transfer ransom payment in the case of a ransomware attack. Perhaps the best example of this new type of ransomware infection is the so-called GandCrab infection.

According to Kritika Roy at Defence Studies and Analyses, GandCrab was first detected in January 2018. Just like most of the ransomware programs, this infection also spreads via phishing emails. It means that the infection needs to be launched by an insider. Someone unwittingly opens a fraudulent email, downloads the attachment and launches the file, thus infecting their system with GandCrab.

The reason this malicious campaign is so successful is because there are almost 100 active affiliates around. In other words, the infection distribution system is decentralized. Anyone who has the code can use or customize this malware. In a sense, it works a little bit like the ransomware infections based on the Hidden Tear Ransomware, where anyone could use its code and customize the program according to their likes and preferences, as it was the ransomware-as-a-service type of program. Likewise, GandCrab can be distributed by affiliates with the infection packages sent to particular targets and then extort money from attacked companies without any second thought.

Thus, we can see that ransomware creators now target particular business entities rather than regular users. If a business system is infected, ransomware can cause more damage, and thus companies are more likely to pay the ransom fees in order to mitigate that damage. Naturally, since GandCrab is such a prolific infection, security companies are more likely to create public decryption tools for it. But there are many different versions of this infection, and ransomware apps pop up into existence every single day. Therefore, the best way to protect a system from a ransomware infection is to avoid it in the first place. Vigilance matters!

The point is that you have to make sure that an email is genuine whenever you receive an unexpected message. If you are not sure you have been waiting for that attachment, do not hesitate to give the sender a call. You can also use the security tools used by your company to scan the attached files before opening them. Don’t just blindly open the files received from unknown senders because that’s what you do every day. A terrible ransomware infection could be just one click away.