Decrypting GandCrab Ransomware

crab.jpg

GandCrab has been circulating in many different forms after the past 2 years. This type of ransomware made headlines for the creators’ very public feud with Bitdefender, and for the investment in distribution and payment technology that the owners have made. Currently, v5 uses an intuitive payment portal via unique TOR sites for each attack. The sites offer several features that demonstrate the group’s focus on profitable conversion of their attacks. We will go through those features below.

Like most types of ransomware currently circulating, GandCrab typically leverages hacked RDP access as the means for ingress. The hacker first gains access by:

  • Purchasing previously brute-forced credentials from sites like XDedic.

  • Phishing an employee of the company to gain control of their machine, then using access to brute force from inside the network.

  • Brute forcing RDP ports found on search sites like Shodan.

The public and lateral access conveyed by RDP enables the hacker to comprehensively spread the ransomware across a multitude of devices like individual machines, servers, and backup systems. Additionally, recent variants like .combo are using a complicated two-step decryptor tool.

The Tor Site:

An infected machine or group of machines will display a randomized set of file extensions on encrypted data. Unlike prior versions which utilized the .crab brand, this version better evades some AV tools by creating unique randomized file extensions for each attack. A {}.decrypt.txt file is dropped on the encrypted machine with the unique randomized digits at the start. The file provides instructions on how to visit the tor site. The site itself has four tabs under its navigation.

The first page is the “What the matter” page:

What is the matter (1).png

This page can be toggled into 8 different languages, provides the ransom amount and a live counter with notes on the price escalation terms. As usual with ransomware notes they try to provide some useful links on how to quickly acquire cryptocurrency for payment.

The second tab is the “Buy GandCrab Decryptor” page:

Buy GandCrab Decryptor.png

The site allows payment in either Bitcoin or Dash, and a user can toggle between either currency, which updates FX rates and wallet addresses. This current version charges a 10% premium for payments made in Bitcoin vs Dash due to costs the hackers incur mixing bitcoin after collection. When a payment is made correctly, the site detects the wallet that matches the payment terms, and the payment shows up at the base of this tab. After 3 confirmations (20-30 minutes after payment), an interstitial pops up on this page upon refresh with a link to download the decryptor and instructions on how to use it. For clients that we have assisted, the data recovery rate is 100%, though the decryptor runs slower than others we have worked with and is prone to crashing. We also note that incident response firms that frequent these pages are offered a discount code that can be applied to the checkout page (we pass this discount on to our clients with 100% transparency).

On the “Support is 24/7” tab, there is a simple chat box.

Support is 24-7.png

There is also a call to action for data recovery firms to receive a discount code (mentioned above) which can be used on future settlements. They do provide a stern warning that if they see the code on any public forums, it will be blocked. In our recovery work, we have used this chat box at all hours of the day and week, and have experienced almost no latency in responsiveness. We have even been transferred to a new support person between their shifts with no loss of support. Frankly, it is a bit scary how good they are at support – but for good reason: they recognize that good support equals payment conversion. This is simply a sales funnel and the faster the conversion cycle the better for them.

On the ‘Test decrypt’ tab, a user can upload an encrypted file and receive the decrypted result with almost no latency.

Test Decrypt.png

Thoughts:

This payment front end is a scary vision of deep technical and organization design work – a major investment of human and financial capital by the hacker groups to scale collection of ransomware payments. The pace of iteration we have observed is also measured in weeks, as new variants of the malware are released and improvements to the front end make attacks cheaper to stage and more profitable to collect on. As we assist more and more clients with ransomware recoveries, one thing is clear. The gap between who is winning and losing this battle is rapidly expanding.

If you need help decrypting GandCrab ransomware or any other variant please don’t hesitate to reach out for help.



*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at: https://www.coveware.com/blog/2018/10/10/decrypting-gandcrab-ransomware-tor-front-end-amp-support-that-are-currently-unmatched

Bill Siegel

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 21 posts and counting.See all posts by bill-siegel