# GandCrab Operators Use Vidar Infostealer as a Forerunner **[bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/](https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) January 7, 2019 10:17 AM 0 Cybercriminals behind GandCrab have added the infostealer Vidar in the process for distributing the ransomware piece, which helps increase their profits by pilfering sensitive information before encrypting the computer files. Following the trails of a malvertising campaign targeting users of torrent trackers and video streaming websites, malware researchers found that Fallout Exploit Kit was used to spread a relatively new infostealer called Vidar, which doubled as a downloader for GandCrab. ----- Using a rogue advertising domain, the threat actor triaged by geolocation the visitors of the compromised websites and redirected them to an exploit kit (EK). Fallout was the most active, says Jérôme Segura of Malwarebytes, adding that it pushed Vidar - a commercial threat available for $700 specifically built for stealing passwords and forms from web browsers. It can be configured to grab specific information, like payment card numbers or credentials stored in various applications. The variant examined by Malwarebytes included scraping capabilities for details from "an impressive selection of digital wallets." Once it starts running, Vidar searches for data specified in its configuration along and [delivers it to the command and control (C2) server as a ZIP archive, notes Segura.](https://blog.malwarebytes.com/threat-analysis/2019/01/vidar-gandcrab-stealer-and-ransomware-combo-observed-in-the-wild/) ----- Its interface makes it easy for the operator to keep track of the victims, deliver instructions to the malware and check the type of data collected from each infected host. ## Downloading GandCrab ransomware Vidar can work as a malware dropper and in the case observed by Malwarebytes the second payload was GandCrab ransomware. "Within about a minute after the initial Vidar infection, the victim’s files will be encrypted and their wallpaper hijacked to display the note for GandCrab version 5.04." 5.04 is the latest revision of the ransomware and at the moment there is no possibility to decrypt the files it touches without paying the ransom or getting the decryption key from the threat actor. Users affected by earlier versions of the ransomware can recover their files with a free [GandCrab decryption tool that works with v1, v4, and v5 up to v5.02 of the malware.](https://www.bleepingcomputer.com/news/security/free-decrypter-available-for-the-latest-gandcrab-ransomware-versions/) ----- Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. Even if the cybercriminals do not use the stolen data themselves, they can sell it on underground forums. Users with computer files locked by GandCrab should now also consider changing the username/password combinations at least for the critical services and applicatons they're using. ### Related Articles: [Eternity malware kit offers stealer, miner, worm, ransomware tools](https://www.bleepingcomputer.com/news/security/eternity-malware-kit-offers-stealer-miner-worm-ransomware-tools/) [BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state](https://www.bleepingcomputer.com/news/security/blackcat-alphv-ransomware-asks-5-million-to-unlock-austrian-state/) [Windows 11 KB5014019 breaks Trend Micro ransomware protection](https://www.bleepingcomputer.com/news/security/windows-11-kb5014019-breaks-trend-micro-ransomware-protection/) [New ChromeLoader malware surge threatens browsers worldwide](https://www.bleepingcomputer.com/news/security/new-chromeloader-malware-surge-threatens-browsers-worldwide/) [Industrial Spy data extortion market gets into the ransomware game](https://www.bleepingcomputer.com/news/security/industrial-spy-data-extortion-market-gets-into-the-ransomware-game/) [GandCrab](https://www.bleepingcomputer.com/tag/gandcrab/) [Information Stealer](https://www.bleepingcomputer.com/tag/information-stealer/) [Malvertising](https://www.bleepingcomputer.com/tag/malvertising/) [Ransomware](https://www.bleepingcomputer.com/tag/ransomware/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/apple-ios-games-found-talking-to-golduck-malware-candc-servers/) [Next Article](https://www.bleepingcomputer.com/news/google/google-emails-users-about-private-data-exposed-by-google-api-bug/) Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ### You may also like: -----