{
	"id": "6946e54e-cafa-4d3f-8798-dc83833c2e12",
	"created_at": "2026-04-06T00:07:01.456647Z",
	"updated_at": "2026-04-10T13:12:48.654673Z",
	"deleted_at": null,
	"sha1_hash": "efa462f30d6cf19f687de6d287729a0a421e1adc",
	"title": "GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB Extension",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1500129,
	"plain_text": "GandCrab Ransomware Distributed by Exploit Kits, Appends GDCB\r\nExtension\r\nBy Lawrence Abrams\r\nPublished: 2018-01-30 · Archived: 2026-04-05 17:51:28 UTC\r\nA new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit\r\nkits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH\r\ncurrency and the first to utilize the Namecoin powered .BIT tld. \r\nFirst discovered by security researcher David Montenegro, researchers quickly jumped in to analyze the ransomware and\r\npost their results on Twitter. This article will dive into what has been discovered by myself and other researchers.\r\nUnfortunately, at this time there is no way to decrypt files encrypted by GandCrab for free. This ransomware is being\r\nresearched, though, and if any new information is released we will be sure to update this article.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 1 of 9\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 2 of 9\n\nVisit Advertiser websiteGO TO PAGE\r\nFor now, if you wish to discuss GandCrab you can this article's comments section or our dedicated GandCrab Help \u0026\r\nSupport Topic.\r\nGandCrab being distributed through the Rig exploit kit\r\nAccording to exploit kit researchers nao_sec and Brad Duncan, GandCrab is currently being distributed through a\r\nmalvertising campaign called Seamless that then pushes the visitors to the RIG exploit kit. The exploit kit will then attempt\r\nto utilize vulnerabilities in the visitor's software to install GandCrab without their permission.\r\nIf the exploit kit is able to install the ransomware, the victim will probably not realize they are infected until it is too late.\r\nGandCrab is the first ransomware to use the Dash Currency\r\nA first for ransomware is GandCrab's use of the DASH currency as a ransom payment.  Most file encrypting\r\nransomware families have exclusively used Bitcoin as the ransom payment method. Lately, some ransomware infections\r\nhave been moving to Monero and even Ethereum. \r\nThis is the first time, though, that we have seen any ransomware ask for DASH as the payment. This is most likely due to\r\nDASH being built around privacy and thus harder for law enforcement to track the owners of the coins.\r\nDASH Current as Payment\r\nThe GandCrab developers are currently asking for 1.54 DASH, which is approximately $1,170 USD at today's prices. \r\nGandCrab utilizes NameCoin's .BIT TLD\r\nAnother interesting feature is GandCrab's use of the NameCoin .BIT top-level domain.  .BIT is not a TLD that is recognized\r\nby the Internet Corporation for Assigned Names and Numbers (ICANN), but is instead managed by NameCoin's\r\ndecentralized domain name system. \r\nThis means that any software that wishes to resolve a domain name that uses the .BIT tld, must use a DNS server that\r\nsupports it. GandCrab does this by making dns queries using the a.dnspod.com DNS server, which is accessible on the\r\nInternet and can also  be used to resolve .bit domains.\r\nGandCrab uses these .bit domains as addresses for its Command \u0026 Control servers. Interestingly, the domain servers used\r\nby this ransomware contain names that you might recognize.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 3 of 9\n\nbleepingcomputer.bit\r\nnomoreransom.bit\r\nesetnod32.bit\r\nemsisoft.bit\r\ngandcrab.bit\r\nAfter the publication of this story, the NameCoin developers issued a statement explaining that even though the GandCrab\r\ndevs tried to use NameCoin DNS for their command \u0026 control servers, they did not set it up correctly. Instead the\r\nNameCoin developers stated that dnspod.com was just allowing the use of .bit domains even though it is not a TLD\r\nrecognized by ICANN.\r\nHow GandCrab encrypts a computer\r\nWhen GandCrab is first launched it. will attempt to connect to the ransomware's Command \u0026 Control server. As this server\r\nis hosted on one of Namecoin's .bit domains, it has to query a name server that supports this TLD. \r\nIt does this by querying for the addresses of the following domains using the command nslookup [insert\r\ndomain]  a.dnspod.com. This command queries the a.dnspod.com name server, which support the .bit TLD, for one of the\r\ndomains below.\r\nbleepingcomputer.bit\r\nnomoreransom.bit\r\nesetnod32.bit\r\nemsisoft.bit\r\ngandcrab.bit\r\nIf the victim's machine is unable to connect to the C2 server, then the ransomware will not encrypt the computer. It will,\r\nthough, continue running in the background trying to get the IP address for the C2 and connect to it.\r\nOnce it is able to resolve the domain, it will connect to the C2 server's IP address. It is not known at this time what data is\r\nbeing sent and retrieved, but the C2 is most likely sending the public key that should be used to encrypt the files.\r\nDuring this process, the ransomware will also connect to  http://ipv4bot.whatismyipaddress.com/ to determine the public IP\r\naddress of the victim.\r\nBefore GandCrab encrypts the victim's files it will first check for certain processes and terminate them. This will close any\r\nfile handles that are open by these processes so that they can be properly encrypted. According to security researcher Vitali\r\nKremez, the list of processes that are terminated are:\r\nmsftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe, oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe,\r\nGandCrab will now begin to encrypt the victim's files and will target only certain file extensions. According to\r\nresearcher Pepper Potts, the list of extensions are:\r\n1cd, .3dm, .3ds, .3fr, .3g2, .3gp, .3pr, .7z, .7zip, .aac, .ab4, .abd, .acc, .accdb, .accde, .accdr, .accdt, .ach, .acr,\r\nWhile encrypting files, Kremez's analysis showed that GandCrab will skip any files whose full pathname contain the\r\nfollowing strings:\r\n\\ProgramData\\, \\Program Files\\, \\Tor Browser\\, Ransomware, \\All Users\\, \\Local Settings\\, desktop.ini, autorun.inf, ntuse\r\nWhen encrypting files, the ransomware will append the .GDCB extension to the encrypted file's name. For example, test.jpg\r\nwould be encrypted and renamed to test.jpg.GDCB.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 4 of 9\n\nEncrypted GDCB Files\r\nAt some point, the ransomware will relaunch itself using the command \"C:\\Windows\\system32\\wbem\\wmic.exe\" process\r\ncall create \"cmd /c start %Temp%\\[launched_file_name].exe\". If a user does not respond Yes to the below prompt, it\r\nwill continuously display the UAC prompt.\r\nUAC Prompt\r\nWhen the ransomware has finished encrypting the computer, victim's will find ransom notes located through the computer.\r\nThis ransom note is named GDCB-DECRYPT.txt and contains information on what happened to the victim's files and a list\r\nof TOR gateways that can be used to access the payment site.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 5 of 9\n\nGandCrab GDCB-DECRYPT.txt Ransom Note\r\nWhen a user goes to the listed site, they will be presented with a site called GandCrab Decryptor. This site provides\r\ninformation such as the ransom amount, the DASH address to send payment to, a support chat, and a free decryption of one\r\nfile.\r\nGandCrab Decryptor\r\nAs already stated, unfortunately there is no way to decrypt the files for free at this time. If you need help or would like to\r\ndiscuss this ransomware, you can do so in our dedicated GandCrab Help \u0026 Support Topic.\r\nHow to protect yourself from the GandCrab Ransomware\r\nIn order to protect yourself from ransomware, it is important that you use good computing habits and security software. First\r\nand foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 6 of 9\n\nemergency, such as a ransomware attack. With a good backup, ransomware has no effect on you.\r\nYou should also have security software that incorporates behavioral detections to combat ransomware and not just signature\r\ndetections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral\r\ndetection that can prevent many, if not most, ransomware infections from encrypting a computer.\r\nLast, but not least, make sure you practice the following security habits, which in many cases are the most important steps of\r\nall:\r\nBackup, Backup, Backup!\r\nDo not open attachments if you do not know who sent them.\r\nDo not open attachments until you confirm that the person actually sent you them,\r\nScan attachments with tools like VirusTotal.\r\nMake sure all Windows updates are installed as soon as they come out! Also make sure you update all programs,\r\nespecially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly\r\nexploited by malware distributors and exploit kits. Therefore it is important to keep them updated.\r\nMake sure you use have some sort of security software installed that uses behavioral detections or white list\r\ntechnology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.\r\nUse hard passwords and never reuse the same password at multiple sites.\r\nFor a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against\r\nRansomware article.\r\nUpdate 2/8/18 10:46 AM: Updated articles to include information from the NameCoin developers regarding how the\r\nGandCrab devs did not properly configure the C2 domains using NameCoin.\r\nIOCs\r\nGandCrab Hashes:\r\naedf80c426fb649bb258e430a3830d85\r\n6866d8d8bf8565d94e0e1479978cf1e5\r\n379e149517f4119f2edb9676ec456ed4\r\nGandCrab Network Communication:\r\n92.53.66.11/curl.php?token=\r\nipv4bot.whatismyipaddress.com\r\nhttp://gdcbghvjyqy7jclk.onion\r\nhttp://gdcbghvjyqy7jclk.onion.top/\r\nhttp://gdcbghvjyqy7jclk.onion.casa/\r\nhttp://gdcbghvjyqy7jclk.onion.guide/\r\nhttp://gdcbghvjyqy7jclk.onion.rip/\r\nhttp://gdcbghvjyqy7jclk.onion.plus/\r\nGandCrab Files:\r\nGDCB-DECRYPT.txt\r\nGandCrab Ransom Note:\r\n---= GANDCRAB =---\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 7 of 9\n\nAttention!\r\nAll your files documents, photos, databases and other important files are encrypted and have the extension: .GDCB\r\nThe only method of recovering files is to purchase a private key. It is on our server and only we can recover your files.\r\nThe server with your key is in a closed network TOR. You can get there by the following ways:\r\n1. Download Tor browser - https://www.torproject.org/\r\n2. Install Tor browser\r\n3. Open Tor Browser\r\n4. Open link in tor browser: http://gdcbghvjyqy7jclk.onion/[id]\r\n5. Follow the instructions on this page\r\nIf Tor/Tor browser is locked in your country or you can not install it, open one of the following links in your regular br\r\n1. http://gdcbghvjyqy7jclk.onion.top/[id]\r\n2. http://gdcbghvjyqy7jclk.onion.casa/[id]\r\n3. http://gdcbghvjyqy7jclk.onion.guide/[id]\r\n4. http://gdcbghvjyqy7jclk.onion.rip/[id]\r\n5. http://gdcbghvjyqy7jclk.onion.plus/[id]\r\nOn our page you will see instructions on payment and get the opportunity to decrypt 1 file for free.\r\nDANGEROUS!\r\nDo not try to modify files or use your own private key - this will result in the loss of your data forever!\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 8 of 9\n\nSource: https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nhttps://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/"
	],
	"report_names": [
		"gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension"
	],
	"threat_actors": [],
	"ts_created_at": 1775434021,
	"ts_updated_at": 1775826768,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/efa462f30d6cf19f687de6d287729a0a421e1adc.pdf",
		"text": "https://archive.orkl.eu/efa462f30d6cf19f687de6d287729a0a421e1adc.txt",
		"img": "https://archive.orkl.eu/efa462f30d6cf19f687de6d287729a0a421e1adc.jpg"
	}
}