Magnitude EK leveraged to push out GandCrab ransomware

Magnitude Exploit Kit forsook Magniber and switched to the infamous GandCrab ransomware

GandCrab spreads via Magnitude EK

One of the most prominent ransomware threats called GandCrab[1] emerged at the beginning of 2018. It managed to infect more than 50,000 PCs and gain approximately $600,000 in revenue within less than four months. Despite GandCrab decryptor released by Bitdefender,[2] it keeps tricking inexperienced PC users into paying the ransom every day.

According to ransomware researchers, the success of GandCrab – from the perspective of an attacker – depends on the choices that cybercriminals make to keep the virus agile. The ransomware receives continuous updates, and the distribution techniques keep extending. One of the most prominent changes in GandCrab event chain is the switch from spam and social engineering attacks to Magniber Exploit Kit (EK.)

Magnitude EK uses fileless attack technique

Magnitude EK[3] is an old threat used for cyber attacks since 2014. It exists to initiate drive-by-download attacks, i.e., one part of the kit targets vulnerable software with a previously determined list of exploit kits, while the other part is responsible for transferring malware to the recently compromised system.

Up until now, Magnitude exploit kit is a somewhat obscure piece of service. Throughout more than a decade, its developers managed to turn this EK into a certified threat, which generates more than USD 60,000 per week in income.
It has been used to spread such infamous cyber infections as Cerber and Magniber.[4] Thus the fact that it switched to GandCrab is alarming.

Researchers from Malwarebytes Lab[5] claim that Magnitude EK is currently using a fileless technique, meaning that the ransomware payload is not bound to .exe files, making it more difficult to detect and immunize. Besides, it keeps plowing the way for its malware via binary padding and traffic/network packet capture.

The GandCrab dissemination model

While earlier GandCrab might have been recognized by .exe files like gandcrab.exe and similar, from now on, we can expect the ransomware to get inside the systems without any coherence with the particular file.

The payload of the ransomware is encoded as VBScript.Encode/JScript.Encode, which once inside the system is decoded in the memory and executed. Following the execution, the payload targets explorer.exe file to force the system to reboot. In case of success, the reboot ends up with all personal files encrypted by .CRAB or .gdcb file extension and a ransom note GDCB-DECRYPT.txt.

Magnitude EK distributes GandCrab 2.0 version in particular. It’s not decryptable yet, so people whose PCs were attacked should either pay the ransom in DASH[6] cryptocurrency (not recommended) or remove the ransomware without delay.

Protect your PC from GandCrab ransomware by updating the system regularly

As pointed out by security experts, probably the only way to protect the system from ransomware attacks that rely on Exploit Kits like Magnitude is to update the system regularly.

In case of GandCrab, it’s essential to patch Internet Explorer (CVE-2016-0189) and Flash Player (CVE-2018-4878)[7] vulnerabilities. Besides, keep in touch with the latest security news and install every security update that is being released by Microsoft or other reputable companies.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

Olivia Morelli is News Editor at She covers topics such as computer protection, latest malware trends, software vulnerabilities, data breaches, and more.

Contact Olivia Morelli
About the company Esolutions