MENU

Republic of the Philippines
National Police Commission
PHILIPPINE NATIONAL POLICE
ANTI-CYBERCRIME GROUP
Camp BGen Rafael T Crame, Quezon City
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

ACG-CYBER SECURITY BULLETIN NR 183: Beware of GandCrab Ransomware

Reference Number ACG-CSB 021019183

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG) and classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

GandCrab ransomware is a type of malware that encrypts victims' files and demands ransom payment in order to regain access to their data. GandCrab targets consumers and businesses with PCs running Microsoft Windows, which allows any cyber criminal to use the software platform to perform attacks.

GandCrab is a fairly standard ransomware in that it scans infected Windows systems and any network shares for files to encrypt. It’s recognizable by the “.gdcb” extension that it appends to encrypted files. It spreads in various ways, including via spam emails, exploit kits, targeted social engineering efforts, fake software downloads and malicious websites.

A characteristic feature of all GandCrab cases is that this ransomware adds specific extensions to the encrypted files. Depending on which version of the malware has infected the computer, these file extensions could be .gdcb, .krab, .crab, .lock, or a combination of random 5 to 10 letters. The initial version of GandCrab had a critical bug in the code that left the decryption key in the memory of the infected computer.

There are several methods of distribution of the dangerous GandCrab ransomware, one of the known channels for this malware to spread is through spam email campaigns from senders with different names. In this case, the cybercriminals rely on social engineering techniques with the malicious emails being disguised as invoices, shopping receipts, or other documents that may sound credible enough to trick the user into opening them for further details.

At this point, there are no free decryption tools for the currently circulating versions of GandCrab ransomware, so users should apply extreme caution when surfing online, or opening email messages. The best tip against ransomware is, probably, to keep back ups of all your valuable data on external storage devices.

You can also use any security appliances, such as a firewall, to monitor the outbound traffic from form-based web pages. Observe whether the traffic is going somewhere unexpected. If this pattern is observed, that can focus the code reviews on the impacted pages.

RECOMMENDATION

All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of Formjacking:

• Users should regularly back up their most valuable files;
• Keep the operating system and third-party software up to date;
• Use two-factor authentication. Lock the front door, and bolt it too;
• Patch early, patch often. Do not make it easy for the crooks to get in through the back door;
• Treat dodgy-looking email attachments and links with caution; and
• Use antivirus and VPN software.
For additional information, please refer to the following websites:
• https://www.malwarebytes.com/gandcrab/
• https://hackernoon.com/gandcrab-the-most-prevalent-ransomware-in-2019-933a722bb42d
• https://www.enigmasoftware.com/gandcrabransomware-removal/
• https://nakedsecurity.sophos.com/2019/07/16/gandcrab-ransomware-revisited-is-it-back-under-a-revil-new-guise/

POINT OF CONTACT

Please contact PMAJ ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.