Extortion plus theft: GandCrab ransomware teams up with Vidar stealer

A recent tweak in the GandCrab 5.0.4 ransomware campaign involves the Vidar infostealer component, which potentially makes the attack much more harmful.

The operators of GandCrab, one of the most competently crafted and prolific ransomware threats out there, continue to demonstrate that they have plenty of extra tricks up their sleeve – as if the uncompromising extortion weren’t enough. In a recent move, the crooks have been utilizing a combo of the ransom Trojan and an evasive infostealer called Vidar. The coupled distribution mechanism relies on the use of the Fallout exploit kit that mainly zeroes in on the users of torrent and streaming video sites.

Vidar, the name of the co-occurring malware, echoes back to Norse mythology and denotes a god associated with vengeance. With this character being also dubbed “Vidar the Silent”, the reference is quite relevant for the data stealer in question. It can pilfer a variety of information, including browser history, credit card details, passwords, and cryptocurrency wallets while running in the background and raising no red flags. It also communicates with its Command & Control server to submit the harvested information to the criminals in charge and download additional malware.

The Vidar – GandCrab tandem: how it works

The GandCrab crew have diversified their portfolio by making sure their culprit is dropped as a secondary payload following the Vidar infection. Whereas the latter is stealthy by design, the ransomware will instantly give the victim a heads-up by displaying a ransom note right on the desktop. Consequently, the malicious reconnaissance needs to come first so that the plagued user don’t notice the raid from the get-go.

The Vidar stealer is sold as a turnkey solution on the darknet for $700. It can be customized to collect specific types of sensitive data that the malefactors seek to obtain. Its propagation chain commences with malvertising deployed on streaming media sources and torrent sites. The visitors are redirected to the above-mentioned Fallout exploit kit, which in its turn spots vulnerable applications on the user’s computer and takes advantage of them to execute the perpetrating code.

Once on board, Vidar scours the plagued machine for the information specified in its configuration file. Most of the time, it will retrieve system details (OS version, installed software, running processes, etc.), the victim’s IP address, geolocation, passwords, as well as multiple kinds of digital wallets if any. All the covertly captured information is then added to a ZIP file and sent to the C&C server.

Then, the ransomware component comes into play. The original payload pulls in the GandCrab 5.0.4 ransomware from the C2 server about a minute after the stealer module is dropped. Obviously, this short timeframe is enough to loot the entirety of personal data on the host behind the victim’s back.

Said crypto menace is the latest iteration of the notorious family that does not yield to free decryption offered by the recovery tool released in late October 2018. It scans the hard disk, removable drives and network shares for popular categories of files and applies an uncrackable cipher to lock them down. The pest also replaces the desktop wallpaper with a ransom message.

Another byproduct of the attack is the concatenation of a random-looking extension consisting of up to nine characters to every hostage file. A TXT edition of the rescue note, which is added to the desktop and all affected folders with data, instructs the user to visit a decryptor page using Tor Browser. The extortionists typically demand 800-1,000 worth of Bitcoin or DASH cryptocurrency for the secret private key and recovery tool that will supposedly allow the victim to get all the files back.

Summary

Although ransomware has seen a decline last year, a few ongoing campaigns are still a major headache for home users and businesses around the world. The worst part is, these hoaxes are evolving, as is the case with GandCrab. The felons have combined the crypto infection with an infostealer element, which allows them to benefit from each incursion even if the victim refuses to pay the ransom. The ransomware operators can cash in on the stolen data themselves or sell it further to interested parties on the darknet.