The cybercriminals behind GandCrab have added infostealer Vidar to the process for distributing the ransomware package. The addition of Vidar helps increase their profits by stealing sensitive information before encrypting the victim’s files.
Malware Delivered via Malvertising Campaign
Using Internet Explorer and Flash Player exploits delivered in the Fallout exploit kit, the duo of GandCrab ransomware and infostealer Vidar trojan are distributed by a prolific malvertising campaign. The campaign targets high-traffic torrent and streaming sites and redirects users towards two malicious payloads.
The first payload, Vidar, is a relatively new form of malware that targets vast amounts of victims’ information including passwords, documents, screenshots, browser histories, messaging data, credit card details, and even data stored in two-factor authentication software. Vidar also has the ability to target virtual wallets storing cryptocurrencies.
The malware, named after Norse God Vidarr the Silent – a name the authors may have chosen to reflect its stealthy capabilities – is highly customizable and has been distributed by several hackers in different campaigns.
Much like other infostealers, Vidar is designed to operate secretly, leaving infected victims unaware that their systems have been compromised. The attack then makes off with private information that’s packaged up and sent to a command-and-control (C&C) server.
GandCrab Ransomware Adds Salt to the Wound
If having an array of your personally identifiable information stolen wasn’t enough, Vidar’s C&C server also operates as a downloader for GandCrab ransomware. As you may have read in our 2018 Cybersecurity Review, GandCrab was one of the most highly distributed and profitable ransomwares last year.
Only about a minute after Vidar starts its processes, GandCrab version 5.04 is dropped onto the system and begins its encryption process. Initial research believes the ransomware is delivered in an attempt to stop victims from uncovering the initial Vidar infostealer payload – or worse, it could be an attempt to destroy the infected system entirely.
It could be, for instance, a simple decoy where the real goal is to irreversibly corrupt systems without any way to recover lost data," said Jérôme Segura, Lead Malware Intelligence Analyst at Malwarebytes. “But as we see here, it can be coupled with other threats and used as a last payload when other resources have already been exhausted.”
The dynamic duo of GandCrab ransomware and infostealing Vidar trojan is certainly an unwelcoming start to the New Year. It’s not surprising, however, as we become more sophisticated with our defenses, hackers are going to become more sophisticated with their attacks. It’s largely known that there is a decryption tool readily available for versions 4 and 5 and GandCrab. With that being said, adding the infostealer to the package is going to increase their profits tenfold. Hackers will use the stolen data to steal victims’ identity, open credit cards, or even sell it on the dark web.
To avoid becoming a victim of this hellacious attack, keep your systems up-to-date. This will ensure that you will not be infected via drive-by downloads that use already patched vulnerabilities. Furthermore, web protection and ad blockers are helpful to prevent malicious redirections triggered from malvertising.