{
	"id": "51c94992-181c-477d-a30e-09001f3e4913",
	"created_at": "2026-04-06T00:11:10.784663Z",
	"updated_at": "2026-04-10T03:21:12.337301Z",
	"deleted_at": null,
	"sha1_hash": "a7c692ec5aebdf537271f9da5162c7b9e4c4e877",
	"title": "GandCrab ransomware distributed by RIG and GrandSoft exploit kits (updated) | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3163991,
	"plain_text": "GandCrab ransomware distributed by RIG and GrandSoft exploit\r\nkits (updated) | Malwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2018-01-29 · Archived: 2026-04-05 18:35:25 UTC\r\nThis post was authored by Vasilios Hioueras and Jérôme Segura\r\nUpdate (2018-04-16): Magnitude EK has switched from Magniber to GandCrab.\r\nUpdate (2018-02-28): Major development with GandCrab. A decryptor for it is available from\r\nNoMoreRansom here. You can read the press release from Europol here.\r\nUpdate (2018-02-02): GandCrab is delivered via Necurs malicious spam [1].\r\nUpdate (2018-02-01): GandCrab is now also spread via the EITest campaign [2] [3].\r\n– –\r\nLate last week saw the appearance of a new ransomware called GandCrab. Surprisingly, it is distributed via two\r\nexploit kits: RIG EK and GrandSoft EK.\r\nWhy is this surprising? Other than Magnitude EK, which is known to consistently push the Magniber\r\nransomware, other exploit kits have this year mostly dropped other payloads, such as Ramnit or SmokeLoader,\r\ntypically followed by RATs and coin miners.\r\nDespite a bit of a slowdown in ransomware growth towards the last quarter of 2017, it remains a tried and tested\r\nbusiness that guarantees threat actors a substantial source of revenue.\r\nDistribution\r\nGandCrab was first spotted on Jan 26 and later identified in exploit kit campaigns.\r\nRIG exploit kit\r\nThe well-documented Seamless gate appears to have diversified itself as of late with distinct threads pushing a\r\nspecific payload. While Seamless is notorious for having switched to International Domain Names (IDNs)\r\ncontaining characters from the Russian alphabet, we have also discovered a standard domain name in a different\r\nmalvertising chain. (Side note: that same chain is also used to redirect to the Magnitude exploit kit.)\r\nWe observed the same filtering done upstream, which will filter out known IPs, while the gav[0-9].php step is a\r\nmore surefire way to get the redirection to RIG EK.\r\nAt the moment, only the gav4.php flow is used to spread this ransomware.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 1 of 12\n\nGrandSoft exploit kit\r\nThis exploit kit is an oldie, far less common, and thought to have disappeared. Yet it was discovered that it too was\r\nused to redistribute GandCrab.\r\nGrandSoft EK’s landing page is not obfuscated and appears to be using similar functions found in other exploit\r\nkits.\r\nEITest\r\nThis campaign is served via compromised websites.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 2 of 12\n\nNecurs malspam\r\nNecurs started dropping GandCrab as well.\r\nRansom note\r\nInterestingly, GandCrab is not demanding payment in the popular Bitcoin currency, but rather a\r\nlesser-known cryptocurrency called Dash. this is another sign that threat actors are going for\r\ncurrencies that offer more anonymity and may have lower transaction fees than BTC.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 3 of 12\n\nTechnical analysis\r\nAfter unpacking, the binary is pretty straight forward as far as analysis is concerned. There were no attempts to\r\nobfuscate data or code beyond just the first layer of the packer. Everything from the exclusion file types to web\r\nrequest variables, URLs, list of AVs—even the whole ransom message—is in plain text within the data section. On\r\ninitial look-through, you can deduce what some of the functionality might be just by simply looking at the strings\r\nof the binary.\r\nThe code flow stays relatively inline, so as far as reverse engineering is concerned, it allows you to quite\r\naccurately analyze it even just statically in a disassembler. The code is divided up into three main segments:\r\ninitialization, network, and encryption.\r\nInitialization\r\nAfter unpacking, GranCrab starts out with a few functions whose tasks are to set up some information to be used\r\nlater in the code. It queries information about the user such as:\r\nusername\r\nkeyboard type\r\ncomputer name\r\npresence of antivirus\r\nprocessor type\r\nIP\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 4 of 12\n\nOS version\r\ndisk space\r\nsystem language\r\nactive drives\r\nlocale\r\ncurrent Windows version\r\nprocessor architecture\r\nIt specifically checks if the keyboard layout is Russian, writes out an integer representation for that result, and\r\nbuilds a string with all this info. Below is the code that is starting to write out the variable names to label the\r\ninformation gathered:\r\nIt then cycles through all letters of the alphabet querying if a drive exists and what type it is. If it is a CDRom,\r\nunknown, or non existent, it skips it. If a fixed drive is found, it copies its name to a buffer and copies a string\r\ndescribing what type of drive it is. For example, the C: drive is FIXED.\r\nIt then gets disk free space and information on sectors that it converts into another series of numbers via printf\r\nfunction tokens: C:FIXED_64317550592. It continues this for every drive and builds a list.\r\nIt puts all of the information gathered on the system together and you can assume, before you even get to this\r\npoint in the code, that this will be sent up to a C2 server at some point, as it is in the format of a GET request.\r\nHere is an example of how the system info gets structured below:\r\nip=99.8.160.100\u0026pc_user=virusLab\u0026pc_name=VI\r\nIt also searches running processes, checking against a finite set of antivirus programs that will also be converted to\r\nthe info string for the C2 server.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 5 of 12\n\nIt then proceeds to create a mutex with some system info along with a generated ID. For example:\r\nGlobalpc_group=WORKGROUP\u0026ransom_id=c9ed65de824663f\r\nIn order to initialize itself for the future encryption, it cycles through a hardcoded list of processes to kill. This is a\r\ncommon technique among ransomware that attempts to kill processes that might have a lock on certain files,\r\nwhich it would like to encrypt.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 6 of 12\n\nKEY PROCESS LIST: msftesql.exe                        sqlagent.exe                           sqlbrowser.exe sqlservr.exe                         sqlwriter.exe                         oracle.exe\r\nocssd.exe                             dbsnmp.exe                            synctime.exe mydesktopqos.exe           agntsvc.exe                             isqlplussvc.exe xfssvccon.exe                   \r\n mydesktopservice.exe       ocautoupds.exe agntsvc.exe                         agntsvc.exe                             agntsvc.exe encsvc.exe                          firefoxconfig.exe                 \r\ntbirdconfig.exe ocomm.exe                        mysqld.exe                              mysqld-nt.exe mysqld-opt.exe                 dbeng50.exe                          sqbcoreservice.exe\r\nexcel.exe                              infopath.exe                           msaccess.exe mspub.exe                          onenote.exe                            outlook.exe powerpnt.exe                   \r\nsteam.exe                                 thebat.exe thebat64.exe                      thunderbird.exe                    visio.exe winword.exe                       wordpad.exe\r\nNext, it calls the built-in crypto functions to generate keys. GandCrab generates the public and private keys on the\r\nclient side and uses the standard Microsoft crypto libraries available using API calls from Advapi32.dll. It calls\r\nCryptGenKey with the RSA algorithm.\r\nNetwork connection\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 7 of 12\n\nNow it enters the main loop for the Internet functionality portion of the ransomware. This area of code either\r\nsucceeds and continues to the encryption section of code, or it loops again and again attempting to succeed. If it\r\nnever succeeds, it will never encrypt any file.\r\nThis section starts off by making a GET request to ipv4bot.whatismyipaddress.com that saves the IP address\r\nreturned and adds to the GET request string, which has been built with the system information.\r\nIt continues and takes a binary chunk, which is the RSA public key that was stored earlier in the initialization.\r\nThat key is converted to base64 via the CryptBinaryToStringA API with the following parameters:\r\nCRYPT_STRING_NOCRLF and CRYPT_STRING_BASE64\r\nIt will be tacked on the the existent GET string, which it has been building this whole time. Below is an example\r\nof the RSA key generated in binary and its conversion, followed by the finalized GET string with the base64 of the\r\nkeys in it:\r\nWhich gets converted to:\r\nBgIAAACkAABSU0ExAAgAAAEAAQCn7L3iSUPhEdoSEOAlWaqDdzX8PknIO2w9kc//lm7YRf6KWCDmy5GrmWriBOxYZpUFjC9+xhltJ\r\nAnd builds the GET string to send to the C2 with all the system information from earlier, and also the encryption\r\nkeys:\r\naction=call\u0026ip=99.8.160.100\u0026pc_user=virusLab\u0026pc_name=VIRUSLAB-PC\u0026pc_group=WORKGROUP\u0026pc_lang=en-US\u0026pc_\r\n[Crypto key base 64 functions]\r\n[Section of code that is adding the encoded keys to the get string under priv_key parameter]\r\nAt this point, it is clear that the malware will be sending this info to the C2 server. This is interesting because it\r\nmay be possible to pull the keys from memory and use them for the decryption of files.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 8 of 12\n\nWe will continue to investigate this and update the article if any discoveries are found.\r\nGandCrab’s server is hosted on a .bit domain, and therefore it has to query a name server that supports this TLD. It\r\ndoes this by querying for the addresses of the following domains using the command:\r\nnslookup[insert domain]a.dnspod.com.\r\nThis command queries the a.dnspod.com name server, which support the .bit TLD for one of the domains below.\r\nbleepingcomputer.bit nomoreransom.bit esetnod32.bit emsisoft.bit gandcrab.bit\r\nThe NSlookup child process is opened through a pipe that was created. This is done so that a child process can\r\ndirectly affect the memory in the parent process, rather than transferring outputs manually back and forth. It is an\r\ninteresting and useful technique. You can look at the following section of code for more details:\r\nThe ransomware now attempts to send data to the server, and if an error occurs or the server was not reachable, it\r\ncontinues this whole process in an infinite loop until it finds one that works, re-querying for client IP and running\r\nnslookup again and again with different IP outputs. Unless it connects with the server, it will run until it is closed\r\nmanually.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 9 of 12\n\nAs mentioned before, it will not continue to the encryption routine until it finds a server, which means it will enter\r\nin an infinite loop of IP requests:\r\nOnce it finds one of these, it continues to open a thread that will start the main encryption functionality. However,\r\nbefore it begins, it opens another thread that creates a window and labels itself as Firefox.The window is loaded\r\nwith code that will copy itself to the temp directory and set itself up in the registry. This is actually one of the few\r\nparts of the malware that is not taken directly from plain text. The file name copy of itself is a random series of\r\nletters generated by calling the cryptGenRandom function, and using its output on an array of letters.\r\nThe strange part about this function is not what it does, because it is creating persistence that we had been waiting\r\nfor, but rather why a window was created in the first place. As far as we could understand, there is no benefit of\r\nlaunching a window to perform these tasks. Maybe it was experiment on the part of the author, but the intent\r\nremains unclear.\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 10 of 12\n\nEncryption routine\r\nAs we have established from the initialization section of the malware, the encryption algorithm used\r\nis RSA. Before we get the encryption section, the code makes sure that it is not encrypting specific\r\ntypes of files that it considers protected. The files are the following, hard coded into the malware:\r\ndesktop.ini autorun.inf ntuser.dat iconcache.db bootsect.bak boot.ini ntuser.dat thumbs.\r\nIf it finds that the file name is on that list, it will skip it and continue to the next. It also skips\r\nlooking into a folder if it is one of these key folders:\r\nlocal app data windows programfiles program data ransomware localsettings\r\nWhen it passes these checks and gets to a specific file, it runs one final check on the extension\r\nagainst a list of acceptable file extensions to be encrypted:\r\nIf all checks pass, it proceeds to use the previously generated keys along with some salt and random number\r\ngenerated to encrypt the file and rename it with a .GDCB extension. The main encryption loop is a recursive\r\nfunction that will eventually make it to every file on the drive.”\u003e\r\nProtection\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 11 of 12\n\nMalwarebytes users are protected at the delivery chain (exploit protection), but we also proactively stopped this\r\nransomware before having seen it, thanks to our anti-ransomware engine:”\u003e\r\nConclusion\r\nIt is interesting to see a new ransomware being distributed via exploit kits in what so far seems to be\r\na few ongoing campaigns. The other interesting aspect is that two distinct exploit kits are delivering\r\nit, although it is unclear if the same actor is behind both campaigns and experimenting with\r\ndifferent distribution channels.\r\nIndicators of Compromise\r\nSeamless gate\r\n31.31.196.187,xn--80abmi5aecft.xn--p1acf\r\nGrandSoft EK (IP)\r\n62.109.4.135\r\nGandCrab (packed)\r\n69f55139df165bea1fcada0b0174d01240bc40bc21aac4b42992f2e0a0c2ea1d\r\nGandCrab (unpacked)\r\nab0819ae61ecbaa87d893aa239dc82d971cfcce2d44b5bebb4c45e66bb32ec51\r\nSource: https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nhttps://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/"
	],
	"report_names": [
		"gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits"
	],
	"threat_actors": [],
	"ts_created_at": 1775434270,
	"ts_updated_at": 1775791272,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a7c692ec5aebdf537271f9da5162c7b9e4c4e877.pdf",
		"text": "https://archive.orkl.eu/a7c692ec5aebdf537271f9da5162c7b9e4c4e877.txt",
		"img": "https://archive.orkl.eu/a7c692ec5aebdf537271f9da5162c7b9e4c4e877.jpg"
	}
}