Ransomware Goes Agile. SandBlast Has It Covered.

  • The GandCrab ransomware has already infected over 50,000 victims
    and extorted up to $600k in just two months.
  • The malware developers update GandCrab in real time. In 2018, even ransomware is agile.
  • SandBlast Agent is able to detect each new variant of GrandCrab, regardless how often it changes.


2018 started with a bang for the Ransomware-as-a-Service industry. With the successful infection of over 50,000 computers in just two months in primarily the US, UK and Scandinavia, up to $600k in ransom payments has already been extorted from its victims by the much spoken about GandCrab ransomware. Check Point Researchers took a deeper look into the malware’s development to understand it creators’s mindset to show how ransomware itself is evolving in the fifth generation of cyber threats.


Low-Tech Ransomware

Distributed on the Dark Web by a presumed Russian developer, the GandCrab Affiliate Program offers low skilled threat actors the opportunity to run their own ransomware campaigns. Delivered mainly through email spam engines, affiliates are also provided with advice and encouragement on which regions to target to ensure the highest profits.


GandCrab itself is an under-engineered ransomware that manages to still be effective. For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat.


Other, unrelated, security flaws in the malware’s infrastructure triggered some in the infosec community to develop a free decryption tool for infected victims. However, in response, GandCrab’s developers quickly made changes to their product to render this decryptor tool useless.


The Criminal Mindset

The GandCrab developers’ mindset is clearly ‘Deliver first, improve later’.


However, the authors were never pushed into a corner where they had to make any of these improvements. Instead, they proactively upped their game the moment they realized they had the serious attention of the security community. In 2018, even ransomware is agile.


How GandCrab’s Updates Avoid AVs.

The updates made to GandCrab allows it to bypass signature-based Anti-Viruses (AVs) while testing them against a multitude of AVs to maintain a Fully Un-Detected (FUD) status.



Cosmetics and incremental code changes keep the core of the malware behavior essentially the same. This comes to show the core differentiator of Dynamic Analysis and Heuristic-based detection, which is signature-less.


For example, the anti-ransomware feature of Sand Blast Agent heuristically detects malicious encryption of important files and restores the affected copies once detected. As a result, SBA Anti-Ransomware is able to detect each new variant of GrandCrab, no matter how often it changes, as the underlining activity of the ransomware is the same – to seek and encrypt files of importance to the user.


In addition, a SBA automatic report generated from a simulated infection of GandCrab shows the execution process tree had not changed much and the forensic report could still trace back the encryption back to the source of infection. This allows for understanding which user files were affected and were was the infection source for all versions of the GandCrab ransomware.


In the fifth generation of cyber threats, ransomware-as-a-service is evolving, its primary goal is still extortion, but now it’s agile. . As a result, it is vital that organizations arm themselves with ‘Gen V’ advanced technologies in order to face these new threats with confidence.




For more details on SandBlast Agent’s Anti-Ransomware, please read our white paper.

For more details on our GandCrab research, please visit Check Point Research.