New GandCrab Variants, Varied Payloads Delivered Via Spam Campaign

Security researchers found an ongoing spam campaign aimed at infecting as many systems as possible through simultaneous configurations and infection payloads. New variations of GandCrab ransomware have successfully infected a large number of servers in India, Chile, Peru, the United States, and the Philippines since its discovery in January 2018. With varying infection methods, spam mail attacks have surged in the past couple of days through exploit kits.

[Read: The ransomware landscape in 2017]

According to the report, as many as three new samples of the Javascript payload can be found in a single mass spam campaign, with developers updating the ransomware design and regularly varying their delivery methods. Affected files were appended with extension filenames .GDCB or .CRAB, which means either it simultaneously pushes different samples with distinct configurations, or it uses other filenames for signature evasion. Aside from GandCrab, the malicious URL — usually contained in a phishing email for tickets, invoice, and payments with a filename format such as or — also contains the backdoor access and control worm Phorpiex, the remote access enabling tool IRCbot, and a coin miner.

[Related: Ransomware: Past, Present and Future]

The malware leaves a ransom note with a link leading its victims to a site that requires a ToR browser to access. Victims are instructed to pay $400 in Dash — a cryptocurrency considered more difficult to trace and easier to process —for the decrypt key. The attackers double the ransom when it's not paid within the stated period.

[Read: What are the bad guys after and how do I stop them?]

Ransomware threats and cybercriminals are getting more creative when it comes to profiting from their victims. Trend Micro recommends that affected victims avoid paying the ransom as there is no assurance that the files will be recovered.

[Roundup: The Paradox of Cyberthreats]

Users can easily detect and prevent GandCrab with the right protection systems in place. Here are a few recommendations to protect your businesses and personal information from these types of threats:

  • Regularly back up important data and media files. Practice the 3-2-1 system
  • Regularly download software updates to patch potential vulnerabilities that can be exploited
  • Implement network segmentation and data categorization for layered protection and limit the amount of data accessible to employees

[Read: 3 reasons the ransomware threat will continue in 2018]

Enterprises can be protected on all fronts from the gateway to the endpoint user. Trend Micro XGen™ security software ensures of a full range of protection through cross-generational defense techniques to secure your business from known, unseen and unknown threats. Protect your business data and applications unobtrusively, and get ahead of threats 24/7 with Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.