silversurfer
Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
- Aug 17, 2014
- 10,055
As reported by 360 Security Center, Grandcrab makes use of multiple methods of infiltrating and compromising victims, via spam e-mails, by disguising itself as harmless software or cracked utilities, exploiting Struts and Apache Tomcat vulnerabilities and JBoss and Weblogic security flaws, and even using password cracking attacks when everything else fails.
Moreover, the most common attack vector for GrandCrab is maliciously crafted e-mails which contain a dropper bundled up as a malicious attachment and designed to download the malware and run it on the victim's machine.
The amount of time and the number of changes GrandCrab's authors seem to put in every newly "released" version makes them a force to be feared, seeing that adding new propagation and attack capabilities makes this ransomware strain more and more dangerous every time a new version starts doing its rounds.
What's interesting regarding this ransomware strain is that, before even trying to encrypt essential files on the target's computer, GrandCrab will begin deleting all automatic backups of a user's data (shadow copies) to make sure that the files it takes for ransom will not be recoverable until the payment is delivered in full.
The latest version of GrandCrab will begin scanning for all target document formats upon execution, and when it finds one, it will encrypt it and rename it using a randomly chosen five character extension.
After encrypting the files it wants to hold as hostages, GrandCrab will also create its ransom note, with detailed instructions on the victim can pay to have the documents restored and with directions to the "payment portal" at gandcrabmfe6mnef.onion.
Furthermore, GrandCrab does not play the waiting game seeing that, once it finishes encrypting the files, it goes straight to business and reboots the computer it has infected after achieving persistence, executing itself after the system restarts and displaying the ransom note.