Preventing GrandCrab From Exploiting Your Device and Your Business Assets

Blog / Preventing GrandCrab From Exploiting Your Device and Your Business Assets

Preventing GrandCrab From Exploiting Your Device and Your Business Assets

What is GrandCrab? 

Discovered towards the end of 2018, this malware is used to encrypt the target’s files to extort ransom. GrandCrab infects individuals and businesses who operate using Microsoft and Windows. 

GrandCrab adopts a structure similar to an affiliate business model. The tool can either directly be used by a threat actor or as a RaaS (Ransomware as a Service). RaaS caters to threat actors by supplying them with a ransomware platform. 

This enables low level criminals who lack understanding in the technical side of things to commit digital ransoms against their targets. As low-level criminals utilise GrandCrab to find and choose their victims, the creator of the ransomware focuses on adding new features/’services to their software and improving their encryption methods. There are currently 5 versions of GrandCrab.  

When the target’s computer is infected, ransom notes appear to the target which, once clicked, directs them to a website on the Dark Web. 

As a manipulation tactic, GrandCrab enables victims to decrypt one file of their choice for free. Ransom is then demanded to be paid in the form of Dash, a cryptocurrency revered among criminals for its utmost privacy. The amount of ransom payment is set independently by the affiliate.  

Although it is highly advisable for victims to not pay the ransom as it is not certain that they will be able to access their files again, GrandCrab offers the victims a decrypter to reclaim access to their files. If victims experience issues with the decrypter tool or ransom payment, GrandCrab provides 24/7 ‘free’ online chat support. 

More technical information about GrandCrab can be found here and can also he found here

How is it spread? 

GrandCrab is delivered by various methods including spam emails, exploit kits, other malwares and through network connection. The most commonly used methods are GrandSoft and RIG exploitation kits in addition to malicious spam emails. If a target opens a file enclosed in the ZIP archive, a script (JavaScript) infected with GrandCrab will be downloaded and executed.   

The ransomware transfers from one device to the next, enabled by an exploit kit. Exploit kits are deployed by a threat actor who breaks through the underlying vulnerabilities found on a target’s system to gain unauthorised access. An exploit kit is a collection of exploits that enables criminals to spread malware.  

Protecting yourself and your business from GrandCrab 

Ensure that your files are continuously backed up – Regular data backups will lessen the damage caused by a ransomware infection. Your system, if infected can be reformatted and usage of the device can continue.  

Be cautious of email attachments and links – Be careful of any attachments and links sent with an email even if it is sent from a trusted source. If the email source is from a legitimate business, go directly to the business’s website or app. If you receive an unsolicited, random email from a legitimate business, email or call the business directly before clicking on a provided link or attachment. NEVER open an attachment or click on a link until you are fully sure that it is legitimate.  

Make sure to regularly update and patch your system – Regular updates will decrease the chance of a threat actor detecting a vulnerability that needs to be patched, enabling them to exploit that vulnerability. This will prevent the threat actor from gaining unauthorised access to your system. If you have an old, downloaded software on your device that you do not need to use anymore, uninstall it and restart your device.  

Limit the use of remote access – If you are a business owner, limit the number of users who can remotely access the system. If you are an independent user, reconsider whether or not you really do need to access the system remotely. Implementing a VPN for your employees who work remote will help to decrease the likelihood of an RDP (Remote Desktop Protocol) from being executed.  

Adopt strong passwords and refrain from reusing passwords – In the case that remote access to a system is an absolute necessity, use a strong password with multifactor authentication.  

Have installed a trustworthy cybersecurity software – This will provide warnings alerting the user of a potential trojan embedded in a site they have clicked or are interested in clicking. This will also ensure that trojans, viruses, downloads embedded with malicious codes, bad links and infected websites are blocked, preventing a ransomware like GrandCrab from infecting your system.  

How to remove the GrandCrab ransomware  

If you are a business owner and your device has been infected by GrandCrab, or if you are simply an individual who has been targeted, the following steps can be taken to remove the ransomware from your device.  

  1. Open File Explorer, select View tab and then examine the File Names Extensions box. Microsoft typically hides file extensions for example, .doc. 
  2. You will be able to see which file has been affected.  
  • Version 1 GrandCrab: Attached with the .gdcb extension  
  • Version 2 and 3 GrandCrab: Attached with the .crab extension 
  • Version 4: Attached with the .krab extension  
  • Version 5: Attached with 5 letters in random order  
  1. Download a decrypter. You can download one that will decrypt your files for free if they are affected with version 1, 4, 5.01 and 5.2. Unfortunately, there are no free decryption software for versions 2 and 3.  
  2. Or of course, contact the IT staff who work at your organisation or a third-party IT company to resolve the issue 

Do not give in to paying the ransom. In most cases, decryption is possible and there is no guarantee that you will get your files back if you pay the ransom. Furthermore, this will increase the likelihood of your organisation being victimised again in the future.   

How can Securiwiser help?  

Our aim is to also ensure that our clients (whether they are individual users or business owners) are confident in their knowledge about various cyber threats that their businesses may face, increasing trends and frequencies of certain threats and protection and prevention methods that are cost effective and time saving.    

Criminals often gain unauthorised access by exploiting underlying vulnerabilities that are unknown to the device owner. Securiwiser can conduct regular scans for your system and provide the exact details of found threats. We can further explain these threats to our clients and provide the best course of action that will save your business time and money.

How secure is

your business?

Security test
How secure is

your business?

Security test