GandCrab Caught in DeepArmor’s Net


One of the toughest security challenges for any organization is the balance between what applications should be allowed and which should not. Documents are almost universally allowed and adversaries know this. They are taking advantage of these documents to infect, encrypt, and blackmail, and it takes cutting-edge technology to protect your assets.

The GandCrab ransomware family is one such threat that takes root by utilizing weaponized documents. These documents often show up in email boxes of unwitting personnel who open the them as part of their regular duties. Should a document with the GandCrab ransomware arrive in your mailbox, the weaponized document would encrypt files on your system and blackmail you for a decryption key. Some the known variants of this kind of threat are already available in malware repositories, and a number of vendors have blacklisted these files. However, there are quite a few who either fail to detect or do not provide protection from weaponized documents.

The weaponized documents sent out as part of the GandCrab campaign contain code that initiates communication to a command and control server, where it will download and execute a secondary payload.

The secondary payload does the heavy lifting of encrypting the system’s files and changing extensions to .CRAB, and finally notifying the user.

The good news is that users of DeepArmor are protected from these forms of threats. SparkCognition developed the first artificial intelligence that detects weaponized documents pre-execution. Our AI models see the intent of these files and block them from ever running, even when they have never seen the file before.

Anti-malware built from AI has repeatedly demonstrated superior ability to catch zero-day and polymorphic malware missed by first- and second-generation products. For more information about DeepArmor, please contact

Latest blogs

SparkCognition is committed to compliance with applicable privacy laws, including GDPR, and we provide related assurances in our contractual commitments. Click here to review our Cookie & Privacy Policy.