Malware News GrandCrab Ransomware Spreads Using Multiple Known Vulnerabilities

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,055
As reported by 360 Security Center, Grandcrab makes use of multiple methods of infiltrating and compromising victims, via spam e-mails, by disguising itself as harmless software or cracked utilities, exploiting Struts and Apache Tomcat vulnerabilities and JBoss and Weblogic security flaws, and even using password cracking attacks when everything else fails.
Moreover, the most common attack vector for GrandCrab is maliciously crafted e-mails which contain a dropper bundled up as a malicious attachment and designed to download the malware and run it on the victim's machine.

The amount of time and the number of changes GrandCrab's authors seem to put in every newly "released" version makes them a force to be feared, seeing that adding new propagation and attack capabilities makes this ransomware strain more and more dangerous every time a new version starts doing its rounds.

What's interesting regarding this ransomware strain is that, before even trying to encrypt essential files on the target's computer, GrandCrab will begin deleting all automatic backups of a user's data (shadow copies) to make sure that the files it takes for ransom will not be recoverable until the payment is delivered in full.

The latest version of GrandCrab will begin scanning for all target document formats upon execution, and when it finds one, it will encrypt it and rename it using a randomly chosen five character extension.

After encrypting the files it wants to hold as hostages, GrandCrab will also create its ransom note, with detailed instructions on the victim can pay to have the documents restored and with directions to the "payment portal" at gandcrabmfe6mnef.onion.

Furthermore, GrandCrab does not play the waiting game seeing that, once it finishes encrypting the files, it goes straight to business and reboots the computer it has infected after achieving persistence, executing itself after the system restarts and displaying the ransom note.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top