Overview
GandCrab Ransomware first appeared in the wild early this year and rapidly evolved over the months. Since its initial manifestation, in January 2018, the ransomware has undergone development and there have been 5 versions of the ransomware in 7 months. It is believed that the malware netted its operators over $600,000 in ransom payments.
Infection Vector and Ransom
Most commodity
malware work by enticing a user to click on link or by sending spam emails to
unsuspecting users. Gandcrab is no different.
In case of
gandcrab phishing email, it either contains links to malicious Javascripts or dropper
file as attachment. The malicious attachments (embedded in MS Office documents)
contains malicious scripts and can download exploits from exploit kits or
payloads. Similarly, compromised websites host malicious SWF advertisements and
JS scripts which runs as endpoint and can also host exploits.
The ransomware is
also hosted on compromised websites that appear like software download websites
for cracked applications. Attackers leverage vulnerabilities in Internet
Explorer and Adobe Flash Player using Exploit Kits to drop the payload and
execute it. Various exploit kits like Grandsoft, RIG and Magnitude are used by
attackers to distribute Gandcrab.
Evolution of the Ransomware
Gandcrab V1
The initial version of GandCrab
ransomware was found to be distributed through malvertising campaign called
Seamless that directs victims to a RIG exploit kit. It is also the first
ransomware to accept DASH crypto-currency as a ransom payment and demands 1.54
dash (approx. 1200$) as ransom amount. Apart from this, it uses NameCoin’s
(decentralized domain name system) “.bit” top-level domain for its C&C
system. The ransomware encrypts files and appends “. GDCB” extension. once a system is infected by this ransomware, it first
tries to establish connection with the ransomware’s C2 server and the server
will send a public key to start the encryption process.
Image: Spam email used to distribute GandCrab
GandCrab V2
Some noticeable changes from the previous version include, updated file extension - .CRAB, updated hostnames for Command & Control servers namely, politiaromana[.]bit, malwarehunterteam[.]bit, gdcb[.]bit. The content of the ransom note was updated with instructions on communicating with the ransomware developers and to obtain decryption keys.
Image: Encrypted Files with .CRAB extension
Source: https://www.bleepingcomputer.com/news/security/gandcrab-v4-released-with-the-new-krab-extension-for-encrypted-files
GandCrab V3
GandCrab ransomware version 3 was found to be distributed via the Magnitude exploit kit. This version comes with a low-resolution desktop background, which contains a ransom note text. When installed, it will encrypt files with .CRAB extension, sets the background and automatically reboots the computer. The ransomware communicates with the domain “carder.bit”.
Image: GandCrab Distributed via Magnitude Exploit Kit
GandCrab V4.0
GandCrab ransomware version 4 was released with few updates to the previous version. Prominent updates includes update to encryption mechanism, extension changed to ‘.KRAB’, updates to ransom note and demanded payment on a new TOR site. The ransomware was distributed via fake software crack sites, which lures the users to download software for free. When user downloads and executes the software, GandCrab ransomware gets installed. Further, it scans the computer and network shares, encrypts all the shares on the network, appends .KRAB extension to it and drops a ransom note.
GandCrab V4.1
The latest version of the GandCrab ransomware spreads via the NSA’s EternalBlue SMB exploit. It attempts to infect unpatched Windows XP machines and Windows Server 2003 systems along with the latest operating systems. The activity of the ransomware continues to remain constant in all the versions, however, the C2 communication is back in the 4.1 version. The encryption happens on a separate thread than the C&C communication, so the files get encrypted even if it fails to connect to the C&C server.
Technical Analysis
GandCrab version-3 executable from a server hosted in Canada (hxxp://185.199.225.114:12547). This IP hosts the same executable with different names. Analysis of GandCrab Version 3 is provided.
Image: Domain contains GandCrab executable
Domain/ Server Analysis
Hostname: 185.199.225.114
IP:Port: 185.199.225.114:12547
Registrar: RIPE NCC
Registrar e-mail: contact@heymman.com
created: 2017-02-23T12:48:32Z
reputation score Low
Based on the analysis and research, it was found that the domain is being used for hosting malicious files only. Here is an example of one of the files that was hosted on the server.
File Name: 1.exe
File Details:
File source: hxxp://185.199.225.114:12547/1.exe (removed)
File size: 260617 bytes
File type: PE32 executable(.exe)
MD5: ff6745411cc69bee286e17f4fba69b35
SHA 256: 747c3e82813bf85e4fdff7e7c1fc277d7ad82526b20224e5c5959e9eebc54225
Detection: 58 / 69
GandCrab Behavioural Analysis
While performing the dynamic analysis on GandCrab malware many malicious activities have been detected:
Queries for
the computername (1 event)
Using GetComputerNameW windows API
GandCrab gets system name.
Checks if
process is being debugged by a debugger (1 event)
Using IsDebuggerPresent windows API GandCrab gets checks to debugger is present
or not.
Uses Windows
APIs to generate a cryptographic key (3 events)
Using CryptGenKey windows API GandCrab generate RSA1 cryptographic algorithms and
generate buffer into system memory.
Checks
adapter address which can be used to detect virtual network interfaces (1
event)
Using GetAdaptersAddresses windows API GandCrab gets internet interface and adapter
details.
Checks the CPU name from registry, possibly
for anti-virtualization (1 event)
Using HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString
windows registry GandCrab Checks
system processer details and gets virtualization environment information.
Installs
itself for autorun at Windows startup (1 event)
Using HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\cwekmntohtt
windows registry set "C:\Users\user\AppData\Roaming\Microsoft\furqev.exe"
key that is used to create Start-up
in to windows system.
This ransomware copied itself into
“%AppData%\Roaming\Microsoft\” folder and created startup registry.
Image: System details exfiltration
Following image shows that grandcrab leverages many windows API which helped in getting system name, processor details, hard disc details, user information, network details, system name and configuration details. Using these details ransomware’s encryption function was build.
Wallpaper
changed by Gandcrab ransomware
GandCrab had released many versions, however, 3 versions have the capability to change
wallpaper of system.
Image: GandCrab change system wallpaper
The ransomware encrypts files and it forces the system to reboot. In our
tests on Windows 10 and Windows 8.1 systems, the machine was able to start up
normally, however, the wallpaper was changed by the malware.
System Information
GandCrab gathers system details such as IP, process details, presence of
anti-virus, presence of virtualized environment and usage of any debugging
tools using windows API and sends all the collected information to C2 server.
Image: Checks Presence of antivirus
Ransom-note
Once the ransomware has finished encrypting the computer, GandCrab drops
ransom note through all directories on the computer. This ransom note is named
GDCB-DECRYPT.txt and contains information on list of TOR gateways that can be
used to access the payment site.
Image: Ransom-note of GrandCrab V3
TOR getaway of
GandCrab “http://gandcrab2pie73et.onion/”.
Network Activity
When GandCrab ransomware is executed,
the infected machine connects to some of the IP/domains and below activities were
detected.
· ipv4bot.whatismyipaddress.com
use
for fetching system IP and location details.
·
66.171.248.178:80 (carder.bit)
"carder.bit"
is a server that the ransomware communicates with.
It was found that the attacker
used the following user-agent to obtain victim’s machine information.
“GET / HTTP/1.1 Host: carder.bit User-Agent: Mozilla/5.0 (Windows NT
6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Cache-Control:
no-cache 200 OK“.
Impact
The malware collects data from the
system and starts encrypts files on the victim’s environment. After encryption,
C&C server is notified and the malware removes itself from the system.
New features and constant updates
to source code makes GandCrab one of the most prevalent malware families to
conduct widespread attacks.
Remediation
The following remediation are
suggested:
- Have a strong data storage, back up and restoration policy
- Have a End point detection and response solution, which can thwart attacks that can evade Anti-Virus solutions
- Ensure that all IT and Security software is up-to-date
- Ensure that IT resources are exposed to the required personnel only. Eg – Port 3389, 445 etc.
- Create awareness programs for employees on the best practice to followed by working on email and while on internet.
GandCrab Ransomware Version Metrics
| VERSION | GandCrab V1 | GandCrab V2 | GandCrab V3 | GandCrab V3.1 | GandCrab V4 | GandCrab V4.1 |
| RELEASE | Jan 31st | March 5th | April 3rd | May 9th | July 1st | July 5th |
| AFFECTED VICTIMS | 50000 | N/A | N/A | N/A | N/A | N/A |
| RANSOM NOTE FILE | GDCB-DECRYPT.txt. | CRAB-DECRYPT.txt | CRAB-DECRYPT.txt | CRAB-DECRYPT.txt | KRAB-DECRYPT.txt | KRAB-DECRYPT.txt |
| EXTENSION | .GDCB | .CRAB | .CRAB | .CRAB | .KRAB | .KRAB |
| DROP FILE | %appdata% / <8hex-chars>.lock | %appdata% / <8hex-chars>.lock | %appdata% / <8hex-chars>.lock | %appdata% / <8hex-chars>.lock | %appdata% / <8hex-chars>.lock | %appdata% / <8hex-chars>.lock |
| DATA ENCRYPTION | RSA-2048 | RSA-2048 | RSA-2048 | RSA-2048 | Salsa20 | Salsa20 |
| EXPLOIT | web exploit, PDF exploit | Spam Mail Campaign | Spam Mail Campaign | inject payload svchost | | SMB Exploit |
| OTHER ATTRIBUTES | (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) | (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) | wallpaper change ,(Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) | (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) | contains a private and a public key, (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) | (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) |
| PACKER INFO | hammering | ReflectiveLoader | ReflectiveLoader | | ReflectiveLoader | |
| C&C CONNECTION | Available | Available | Available | Available | | Available |
| STRING OBFUSCATION | Available | Available | Available | | Available | |
| INFO GATHERING | #KeyboardLayoutCheck #mutex #AntiVirusChecks, #AntiVM | #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #mutex #AutoRun #AntiAnalysis #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf | #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #mutex #AutoRun #AntiVirus #AntiVM #C&C #URLGeneration #deleteItSelf | #IPAddress, #UserName, #ComputerName #Network #DOMAIN #OperatingSystem #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration #mutex #AntiVM #C&C #deleteItSelf | #UserName, #ComputerName #OperatingSystem #Processor #Architecture #C&C #mutex #AntiVM #C&C #deleteItSelf | #IP Address, #User name, #Computer #name, #Network #DOMAIN, #Operating #System, #Processor #Architecture, #Network #LocalDrives #C&C #URLGeneration |
| PROCESS LOAD | encryption.dll, ReflectiveLoader() | inject payload svchost | inject payload svchost | inject payload svchost | | |
| DECRYPTION TOOL | available (europol) | | | | | |
| RANSOM METHOD | crypto-currency DASH (400 USD) | crypto-currency DASH(800 USD) | crypto-currency DASH (1200 USD) | crypto-currency DASH (1200 USD) | crypto-currency DASH (1,200 USD) | crypto-currency DASH (4000 USD) |
