FortiGuard Labs Threat Research

GandCrab 2.1 Ransomware on the Rise with New Spam Campaign

By Jasper Manuel, Joie Salvio, and Rommel Joven | April 25, 2018

Over the past few days, FortiGuard Labs has been observing a surge in an email spam campaign delivering the latest GandCrab v2.1 ransomware. This article provides a basic overview of this malicious campaign, and points out details that can help users identify it.

Spam Campaign

The image below is a screenshot from our KTIS (Kadena Threat Intelligence System) that shows the overview of a single spam campaign that led to a GandCrab v2.1 sample being delivered as a payload. 

Fig.1 KTIS visualization of the spam

Isolating a branch from the illustration allows us to look at the campaign in more detail, as shown in the following image. This figure reveals that multiple emails include a Javascript attachment, which when executed, downloads a Gandcrab v2.1 variant from the malicious URL, http[:]//

The graph also shows that at the time of this writing, three unique (different) hashes of Gandcrab v2.1 had already been hosted from the URL. This means that newly created samples are being pushed simultaneously, possibly with different configurations, or simply in an attempt to evade specific file signatures. Not limiting itself to Gandcrab, the entity behind this IP address is also hosting other malware, such as Phorpiex, which is a worm that allows backdoor access and control, and IRCbot which is a Trojan that can provide attackers with remote access to infected system, as well as a coin miner.

Fig.2 A single chain of the GandCrab 2.1 spam campaign

As mentioned previously, the email spam samples include attached JavaScripts hidden inside archives with the filename format DOC<NUMBERS>.zip. Their contents are all practically the same as those shown in the next figure. Samples observed contained the following subjects:

·       Document #<NUMBERS>

·       Invoice #<NUMBERS>

·       Order #<NUMBERS>

·       Payment #<NUMBERS>

·       Payment Invoice #<NUMBERS>

·       Ticket #<NUMBERS>

·       Your Document #<NUMBERS>

·       Your Order #<NUMBERS>

·       Your Ticket #<NUMBERS>

Fig.3 Email spam sample delivering GandCrab v2.1

Geographical Distribution

The graph below details the spam distribution in terms of the email recipient domains gathered from the collected spam emails over the past week. As can be seen, mail servers hosted in the US are currently the primary recipients of this campaign.

Fig.4 Geographical distribution of email recipient domains

On the other hand, the next graph below shows a more general perspective of GandCrab’s actual infection during the past month. Based on timing alone (04/14-04/17), it can be observed that infection had already gone up at the time of this campaign’s discovery.

Fig.5 GandCrab infection timeline in the past month

With regards to actual successful GandCrab infections, India is in the top spot, as shown in the following graph.

Fig.6 GandCrab infection geographical graph

File Recovery

Fig.7 Files encrypted with .CRAB extension

The ransom note contains a link to an onion site that the user has to visit using a TOR browser – which is a browser designed for anonymous internet browsing and downloading – in order to purchase a file decryptor. The page displays the usual ransomware information, such as further instructions and the initial ransom amount, which will be doubled after a certain time. However, we discourage users from paying the ransom as this does not guarantee any actions from the threat actors.

Fig.8 GandCrab v2.1 ransom note
Fig.9 Payment page shows doubled decryption price after the countdown expires


GandCrab ransomware, or any type of ransomware for that matter, can cause irreversible damage to an infected system. The best defense against these kinds of attacks is good cyber hygiene and safe practices. In this case, remember that it is always important to be cautious about unsolicited emails, especially those with executable attachments. In addition, if all else fails, make sure you always have a backup stored in an isolated network environment in order to successfully recover a compromised system.

As always, FortiGuard Labs will continue monitoring GandCrab’s activity, as well as other malware being distributed by these spam campaigns.

-= FortiGuard Lion Team =-



Fortinet users are protected by the following solutions:

·       Emails are blocked by our FortiGuard AntiSpam Service

·       Files in  the attack chain are detected by FortiGuard Antivirus

·       Malicious download URLs and C2s are blocked by our FortiGuard Web Filtering Service.

·       FortiSandbox rates any execution point in the attack chain as “High Risk”


FortiMail and the Security Fabric

FortiMail is a central component of the Fortinet Security Fabric and a key protection point against new, previously unseen threats using email as the attack vector.  FortiMail has multiple layers of threat preventions and integrations which enable the interception and neutralization of this and other such email-bourne threats:

When integrated with FortiSandbox in the security fabric, FortiMail queues emails whilst the threats are opened and executed in a sandboxed virtual machine.  FortiSandbox was able to detect this threat based on the behavior of the JS file and subsequent callouts to malicious URLs and C2s, rating the content a ‘high risk’, allowing FortiMail to neutralize the threat from the first occurrence.

FortiMail utilizes the FortiGuard Spam and Virus Outbreak Service which uses cloud based machine learning to identify and block new threat outbreaks.  This blocked the various form of this threat within seconds of the service detecting the start of each campaign. 

A range of content based methods are available to neutralize such threats including:

o   Removal of active content e.g. exe and javascript from emails

o   Neutralizing Office and PDF documents by removing macros, javascript, ebedded content, DDE etc.

A key feature of the security fabric is the sharing of threat intelligence across the participants.  Once a threat is identified, malware and malicious URL packages are shared between fabric members including FortiSandbox, FortiMail, FortiGate and FortiClient, so that should the threat attempt to utilize other vectors for exploitation, it will be detected instantly.







<list reduced for brevity>


JS Downloaders

9898b8e0a8b1a6ba96b07bc01ecef716cf9c5280f5190467e5da449854e64b22 - BAT/Agent.ALP!tr

d3120d04ed68b46249f9d27d0174840dc99b75eae338b46ed3d64fc7e386f1c - BAT/Agent.ALP!tr

bf7e29484aebfa7be8877639ea16383d5c4025cbf359d5c2566c98f5e1fccea1 - BAT/Agent.ALP!tr

<list reduced for brevity>


GandCrab v2.1

846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f - W32/Kryptik.GFTZ!tr

a3e2a45504a3bcf9f96acabb601410e2250165c3d19f2580c50a15bf910f3d9f - W32/Kryptik.GFTT!tr

339d22b5e02c79cdaa355bb11b063645332d0a2fd43ae78af6577818c4078284 - W32/Kryptik.GFRY!tr


Download URL







Check out our latest Quarterly Threat Landscape Report for more details about recent threats.

Sign up for our weekly FortiGuard intel briefs or for our FortiGuard Threat Intelligence Service.