GandCrab RaaS is being sold on the Russian black market

Ads promoting GandCrab Ransomware-as-a-Service found on the Russian underground forums

In the 2nd of February, 2018 Australian cyber-security researchers from LMNTRIX^[1] revealed GandCrab license to be sold on the black market for undefined sum of money. To multiply the income, extortionists have started marketing the virus as a ransomware-as-a-service (RaaS)^[2] on several Russian-speaking underground forums.

RaaS projects are currently on the rise and that's not surprising taking into account the success of ransomware.^[3] Thousands of people on that participate in various underground forums ask extortionists how they manage to earn millions of dollars without being recognized and, pushed by successful stories, commit to join the black market. They pay a defined sum of crypto-currency coins to get the instructions on how to customize and distribute the purchased ransomware and, furthermore, dives into the hunting.

GandCrab is currently the only ransomware that accepts Dash coins

As a quick reminder, GandCrab is a file encrypting virus or ransomware,which is an apprentice in comparison to Petya or Cerber ransomware. Nevertheless, experts talk with fears about the possible extent of its prevalence due to its uniqueness. Unlike its predecessors, GandCrab uses RID and GandSoft exploit kits, which are executed via malvertising called Seamless. Once executed, it locks files stored on the target system and appends the .GDCB extension to each of them. Furthermore, it creates a GDCB-DECRYPT.txt file on the desktop. That's a ransom note, which instructs the victim to pay 1.54 DASH ransom (approx. $1200). Up-until-now it's the only ransomware virus that access Dash^[4] coins.

Currently, the definite number of GandCrab virus victims is not clear, but based on the LMNTRIX finding about ads promoting this ransomware-as-a-service, allows guessing that it's not very successful.

The partners are asked not to target Russian-speaking countries

As reported by LMNTRIX, GandCrab developers offer the partners 60 percent of the revenue with a possibility to increase the share to 70 percent. To accommodate the partners, ransomware developers also accommodate future partners with technical support and updates, but every service or piece of information has a fee.

Before making a deal, GandCrab RaaS distributors urge partners to commit to one condition – to bypass the countries that now comprise the Commonwealth of Independent States (Armenia, Azerbaijan, Belarus, Kazahstan, Kyrgyzstan, Moldova, Russia, Tajikistan, and Uzbekistan). To induce the undecided cyber-criminals-to-be, ransomware developers share claims about limited number of alliance members.

It's unknown how many licenses of GandCrab extortionists sold, but the number should not exceed 10. Currently, there are no reports about the attacks of this ransomware, so we expect that the deal wasn't marketable.