Skip to Content

Cybercrooks are using this new scheme to spread ransomware

Ransomware quickly rose to become the current biggest software security threat out there. One thing about ransomware that’s so appealing to cybercriminals, aside from its profitability, is its adaptability.

It’s constantly evolving, as cybercriminals change their code to suit their needs and to elude security software. And it’s not just the code that changes regularly, the vectors and methods for ransomware distribution also keep changing.

In fact, a new form of ransomware with unusual methods of distribution has been spotted recently by software security firm Malwarebytes.

Typically, ransomware is delivered via poisoned files and attachments embedded in spam and phishing emails – you know, the “click this receipt!” or “read this PDF!” variety.

This new ransomware variant, however, is spread via exploit kits.

What are exploit kits?

Exploit kits are sets of automated hacking tools usually sold on the Dark Web meant for novices who typically can’t write their own malware code yet.

These easy-to-use kits commonly target vulnerabilities in widely used software like web browsers, Microsoft Office, Java and Adobe Flash Player to spread malware payloads.

You’ve probably seen your own share of exploit kits in action on the web. Cybercriminals usually embed them in malicious ads, fake Flash updates, video plugins and pop-ups to target vulnerable machines with outdated software.

These kits check a machine for exploitable flaws first then proceed to install malware automatically if vulnerabilities are found. This is why it’s important to always have updated software!

Exploit kit campaigns are known for spreading all sorts of nasties, including trojans, password stealers, and cryptojackers but Malwarebytes noted that using them for distributing ransomware is “unusual.”


The ransomware in question is called GandCrab. It was first seen by Malwarebytes researchers on January 26 and it is being currently distributed by two separate exploit kits, RIG and GrandSoft.

The RIG exploit kit is known for using flaws in Adobe Flash Player and Internet Explorer to execute browser-based attacks. Malwarebytes noted that “RIG spreads GandCrab to victims using malvertising on compromised websites.”

The GrandSoft exploit kit is an old kit from 2012 and it exploits a vulnerability in the Java Runtime Environment for remote code execution.

This means both exploit kits can install GandCrab on an unpatched computer by merely visiting a compromised website, requiring no user interaction at all! Quite scary, indeed.

Once installed, GandCrab is just like any other ransomware. It locks Windows files using RSA encryption and it displays a ransom note demanding payment for the “GandCrab Decryptor” needed for unlocking the files.

GandCrab doesn’t demand payment in Bitcoin like other ransomware scams, though. It prefers payments with a lesser known cryptocurrency called Dash. The current rate for the ransom stands at 1.5 Dash (around $1,200) but doubles if the price is not paid within a few days.

Image Credit: Malwarebytes

Image Credit: Malwarebytes

How to protect yourself from exploit kits and GandCrab

Unfortunately, if you do get infected with GandCrab, there are currently no free decryption keys available yet so prevention is your best defense.

Like I mentioned, always keep all your software updated. This includes the latest patches for your web browsers, plugins, operating system and software.

Although hackers are always looking for the next zero-day flaw, having the latest versions of your software will protect you from widely used exploit kits like RIG and GrandSoft, which typically target old bugs that have most likely been patched by now.

Another great insurance policy against ransomware is a good online backup solution! With the threat of ransomware constantly looming, a reliable backup will always give you the peace of mind you need. We recommend our sponsor IDrive for all your Cloud backup needs! Go to and use promo code Kim to receive an exclusive offer.

Click here and remember to use promo code Kim to receive 50% off.


Cybercriminals are reportedly distributing malware by tainting digital copies of this popular book. Click here to read more about this new scheme.

cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out