704-200-2024 [email protected]

A new malware attack has been detected in the wild. This nasty combines two known pieces of malware: the Vidar data harvesting malware followed by GandCrab ransomware.

Vidar exfiltrates a wide variety of data, including passwords, documents, screenshots, stored 2FA information, and cryptocurrency wallets. and sends that to its C&C server. Next, GandCrab encrypts the infected system and displays a ransom demand. This demonic duo adds insult to injury.

Following the trails of a malvertising campaign targeting users of torrent trackers and video streaming websites, malware researchers found that Fallout Exploit Kit was used to spread a relatively new infostealer called Vidar, which doubled as a downloader for GandCrab.

Running an infostealer before deploying the ransomware ensures some money for the adversary even if the victim does not pay the ransom. Even if the cybercriminals do not use the stolen data themselves, they can sell it on underground forums. Here is a diagram of how this was put together

Fallout Vidar Gand Crab
  • https://www.facebook.com/855ITLogix
  • https://twitter.com/855itlogix
  • https://www.reddit.com/user/itlogix
  • https://www.linkedin.com/company/855itlogix/


  • www.theregister.co.uk: She will lock you out, livin’ la Vidar loca: Enterprising crims breed ransomware, file thief into hybrid nasty
  • www.zdnet.com: Double trouble: Two-pronged cyber attack infects victims with data-stealing trojan malware and ransomware
  • www.bleepingcomputer.com: GandCrab Operators Use Vidar Infostealer as a Forerunner
  • www.scmagazine.com: Cybercriminals double up using Vidar and GandCrab in single attacks