Sophos, a network and endpoint security solutions company calls GandCrab as the “most prolific ransomware in circulation” at the moment because even a neophyte ransomware crimelord could build a criminal fiefdom of up to 200 victims in a two-month period.

GandCrab first appeared over a year ago and was promoted on public websites but sold exclusively through the Dark Web. Its operation is very similar to other ransomware, but its ransomware-as-a-service business model seems to have propelled it forward.

The ransomware may owe some of its early success to its unique software licensing scheme. For $100, neophyte ransomware crime lords could build a criminal fiefdom of up to 200 victims in a two month period, working their way up to earning enough to afford more premium-rate services and features.

In essence, the GandCrab creators provide a criminal franchise system. The business model for GandCrab gives the franchisee the option of choosing their ransom amount, among other features. Some victims report ransoms as low as $300 but they can run an order of magnitude higher.

Initially delivered via RIG exploit kit, once licensees began using the ransomware, they chose whatever distribution method suited them best. By a month later, malicious spam began to appear with malicious office documents that, when opened, delivered GandCrab to victims. The malware itself uses a deviously clever fileless approach to execute itself and encrypt the victim’s files. It has an effective countermeasure to traditional antivirus software, which would not be able to detect or clean the (conspicuously absent) malicious file.

For a more detailed report, please go to SophosLabs Uncut. Sophos leverages on-demand curated threat intelligence from SophosLabs and machine learning to rapidly detect, prioritize, investigate and respond to incidents. With Sophos Synchronized Security, companies can better manage and defend their network thanks to integration between endpoint and network solutions. The latest releases of XG Firewall and Intercept X with EDR are now available on Sophos Central’s cloud management platform