GandCrab: Wishing You an Unhappy Birthday

A source of much misery, the GandCrab family of ransomware has had a very successful first year. But there’s plenty you can do about it.

GandCrab debuted in late January 2018 and quickly became a favorite with attackers and a source of misery and expense for SOC teams and other defenders. Within two months, Check Point was reporting that GandCrab had infected more than 50,000 victims and generated $600,000 in ransom fees for its affiliates in cybercrime. (An estimated 30 percent of that total went to the developers.) Thereafter, GandCrab’s user-friendly, software-as-a-service business model and its track record for evolving rapidly made it the most popular and widespread ransomware of 2018.

This success came at the time when ransomware was being commoditized—its overall share of the cybercrime market was declining (as was the number of active ransomware families) and effective countermeasures were becoming more effective and ubiquitous. In response to these changes, many threat actors shifted their focus to cryptocurrency mining malware, which had the potential to be far more lucrative than ransomware. With competition in its market space thus diminished, GandCrab has continued to thrive.

Rude Russian Memes and an Agile Development Approach

A likely reason for GandCrab’s high media profile is a confident style that attracts industry press coverage, draws customers by playing on the aspirations of hacker wannabes and offers shoutouts to malware researchers whose job it is to reverse-engineer the latest GandCrab code. Message strings have even included the occasional rude meme, delivered in Russian.

More importantly, GandCrab has maintained its technology leadership by using Agile development methods to respond to customer needs, stay ahead of competitors and outmaneuver security teams at targeted organizations. In its first year, GandCrab released five versions and several minor variants of its malware. While the basic mechanisms remained constant, the authors bolstered its evasiveness by adding, tweaking, deleting and reinstating features relating to distribution, the malware payload and evasive measures within the packer. (Click here for a detailed analysis of this evolution, through v4.)

Responding to market needs

Below are some examples of GandCrab’s customer-driven and market-driven adaptations.

 Enhancing revenue: In early January, the Vidar info-stealer was added to GandCrab’s distribution process, allowing attackers to generate a second stream of revenue, beyond the collection of ransom fees. Vidar can steal high-level system details, credit card numbers and user credentials. It can also scrape data from diverse cryptowallets. All this information can then be sold and exploited for nefarious purposes.

Targeting high-value victims: Ransomware authors have been moving away from broad, high-volume attacks that make modest ransom demands, instead preferring targeted attacks on victims who are perceived as having the resources to pay larger ransom fees. GandCrab v5 facilitated this change by adding a new malware distribution method, Remote Desktop Protocol (RDP), to its other distribution options.

Speeding up encryption: Once defenders have been alerted that file encryption has begun or is imminent, a quick response can block or interrupt files from being fully encrypted, thereby minimizing the damage of an attack. By switching from the AES encryption cipher to the much faster Salsa20 cipher, the GandCrab team reduced the time window when defenders might be able to halt an attack.

Countering countermeasures: GandCrab’s authors move quickly to defeat successful countermeasures. For example, with V1 and V5.0.3, researchers released a decryption utility that lets victims recover their files without paying a ransom. In response, the malware’s authors immediately released an update so anyone newly infected by the later version could not use that decryptor.

A Defense Based More on Diligence Than Dazzle

Mounting a successful defense against GandCrab is more a matter of diligence than dazzle. The usual security prescriptions apply, with extra precautions that are specific to this malware family.

  • Always follow best practices for software updates and security patches—especially for vulnerable Windows, Office and Adobe products. Closing internet-exposed RDP ports—or securing them with a strong password and two-factor authentication—also strengthens defenses against ransomware.
  • Be sure your backup strategy includes offline backups. GandCrab encrypts backup files that have been saved to local machines. Restoring those files from offline backups is time-consuming and adds to recovery costs, but it’s still preferable to the alternatives: paying the ransom or losing access to encrypted data until a decryption utility is developed (which doesn’t always happen).
  • Keep antivirus software and static detection current. Today’s antivirus endpoint software, which combines signature-based and behavior-based detection, does a very good job spotting known ransomware, such as GandCrab, and a decent job recognizing unknown variants. Static analysis can be effective in detecting elements found in email attachments—such as macros and javasript files—that download GandCrab.
  • Increase the accuracy of detection with a malware sandbox. Adding dynamic analysis to an organization’s anti-ransomware defenses addresses some of the shortcomings of other detection methods. For example, AV typically locks known ransomware before it starts to execute. While this prevents an attack from progressing, it also leaves analysts in the dark about the full extent of the threat. Isolated in the safe environment of a sandbox, suspect files and URLs can be allowed to run freely so the full extent of the malware’s behavior can be observed. This added insight enhances detection, decision-making and incident response.

There’s Plenty You Can Do

While GandCrab’s creators have proven resourceful in sustaining their dominance in the ransomware world, there are plenty of basic “blocking and tackling” steps security teams can take to harden their defenses and reduce their exposure. Combining the strengths of signature-based reputation services, static analysis and the deep insight provided by dynamic analysis, security teams can tackle such threats successfully and protect their organizations.

Tamas Boczan

Tamas Boczan

As a Senior Threat Analyst at VMRay, Tamas Boczan is responsible for finding and analyzing relevant malware samples and improving VMRay's detection capabilities. Prior to VMRay, he researched evasive malware and developed a malware analysis sandbox at an Anti-Virus company.

tamas-boczan has 1 posts and counting.See all posts by tamas-boczan