What is Gandcrab Ransomeware?

Ransom.GandCrab is detection name for a family of ransomware that encrypts important files and asks for a ransom to decrypt them. There are several versions of Ransom.GandCrab as the threat actors keep working on it. They all target Windows systems.

Type and source of infection

Ransom.GandCrab scans the infected system and any network shares for files to encrypt. You can recognize the version of GandCrab by looking at the extensions the encrypted files have:

  • Version 1 gives the .gdcb extension
  • Version 2 and 3 give the .crab extension
  • Version 4 gives the .krab extension
  • Version 5 gives a randomized 5 letter extension

Ransom.GandCrab is spread in many different ways:

  • malspam
  • exploit kits
  • social engineering
  • fake cracked software sites


The first thing users of affected systems notice is usually the ransom note when the encryption has altready finished.


The authors of this ransomware are very active and have released at least five versions of GandCrab to date. While there are no major differences between any two versions of this malware, the frequent changes show the time attackers are investing in maintaining and developing it.

GandCrab is also the first ransomware that demands payment in DASHcryptocurrency and utilizes the “.bit” top level domain (TLD). This TLD is not sanctioned by ICANN and it therefore provides an extra level of secrecy to the attackers.

As we mentioned in our previous articles on Black Ruby and Data Keeper, ransomware is still the favorite choice among the attackers for making money. GandCrab certainly supports this argument.

GandCrab experienced initial setbacks when the anti-virus company Bitdefender released a decrypter for the earlier versions of GandCrab (v1.0 and v1.1). The decrypter was made possible not by exploiting any flaws in the encryption process, but rather because the web server used to hold user data got compromised and all the private keys were leaked. That provided an opportunity for some lucky victims who were infected during that short window to get their files back without having to pay any ransom. The hack was confirmed by the ransomware author, but GandCrab 2.0 was released the same week and the server was hardened against any future attacks.

Spreading Mechanism

GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. GrandSoft and RIG are the two most commonly used exploit kits for distributing GandCrab along with the high number of malicious spam emails. These spam emails trick users into opening the file contained inside the attached ZIP archive, which is generally a script that downloads GandCrab ransomware and executes it.

The JavaScript file is highly obscured. Upon execution, it decodes a URL where GandCrab is hosted. The script then downloads the malware to a file on the disk and executes it.

The network of GandCrab is quite complicated and relates to other Trojan Downloader malwares, which shows a kind of affiliation between GandCrab and other malware.

Security experts remind users that the following defensive measures should be taken to deal with such ransomware attacks:
1. Avoid using weak passwords and using the same password in multiple devices.
2. Do not install software that is unclear and please fix computer vulnerabilities in time.

GrandCrab updated to V5.0- GrandCrab ransomware is back with a vengeance

In May 2017, WannaCry ransomware broke out globally. According to the statistics, there are at least 300,000 users in more than 150 countries, resulting in losses of 8 billion US dollars. Since then, WannaCry variants, GlobeImposter, Satan and other viruses have launched a number of attacks. At the beginning of 2018, GandCrab’s virus appeared on the Internet, and its latest version has been updated to 5.0. Since September, the spread of the GandCrab 5.0 ransomware has grown rapidly, and many files on Windows servers have been encrypted.

GandCrab 5.0 is mainly used to disguise itself as normal software to induce users to download, or use vulnerabilities and weak password cracking to spread. After the infection, the suffix of the files, documents, videos, compressed files, etc. in the hard disk will be changed to 5 random letters, and the desktop will give extortion information, stealing the user’s bitcoin, Dash and other digital currency.