Gang’s Cult Status and Marketing Savvy Belies Shoddy Attack Code, McAfee Says
The notorious GandCrab ransomware gang in recent weeks released version 5 of its crypto-locking malware. Security researchers say that new “ransomware as a service” affiliates have been lining up to use the latest strain, returning a cut of their profits to the GandCrab developers.
The debut of the latest version of GandCrab is a reminder that while ransomware’s popularity may have declined over the past year, it continues to be a source of cybercrime profit for many individuals and gangs, sometimes via very targeted attacks (see Ransomware Crypto-Locks Port of San Diego IT Systems).
The GandCrab crew also appears to be expert at creating buzz around its latest wares.
“The prospect of making money not only attracts new affiliates, but also leads to the formation of new alliances between GandCrab and other criminal services that strengthen the malware’s supply and distribution networks,” McAfee researchers Alexandre Mundo, John Fokker and Thomas Roccia write in a blog post. “One of these alliances became obvious during version 4, in which the ransomware started being distributed through the new Fallout exploit kit.”
They say this alliance still appears to be in place with the release of version 5, “as the GandCrab crew openly endorsed FalloutEK.”
Another announcement by the GandCrab gang with the release of version 5 concerned a new partnership with NTCrypt, which is a malware crypter service that’s designed to alter malicious code to make it more difficult for security tools to detect. In short, such a service helps whomever is using the ransomware to infect more systems.
“The partnership between GandCrab and NTCrypt was established in a novel way. At the end of September, the GandCrab crew started a ‘crypt competition’ on a popular underground forum to find a new crypter service they could partner with,” the McAfee researchers say. “NTCrypt applied and eventually won the competition.”
Such an approach is hardly unique. Many cybercrime gangs – including ransomware developers – outsource parts of their operations, for example, by using affiliates, or third-party crypting services. This cybercrime-as-a-service approach, or cybercrime supply chain, enables different groups to practice their core competencies while working together to earn more illicit profits than they would be able to garner, working individually (see Cybercrime as a Service: Tools + Knowledge = Profit).
Gang’s Core Competency: Marketing
Thankfully for many victims, the GandCrab gang’s swagger doesn’t always equal its skills.
“The group behind GandCrab has achieved cult status in underground forums; the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths,” the McAfee researchers say.
Indeed, all forms of GandCrab to date have included sufficient flaws that security researchers have been able to release free decoders for anyone whose system may have been crypto-locked by the ransomware.
An independent malware researcher known as Valthek has published “vaccines” for many versions of GandCrab that can decrypt files, and for GandCrab versions 4.x through 5.0.2 can block the ransomware from crypto-locking anything.
“McAfee has verified that these vaccines are effective,” the security firm’s researchers say. “The vaccine has versions with and without persistence. The version with persistence creates a random filename in a special folder and writes a special random entry in the registry to run each time with the system. In this case, the machine will always be protected against this malware (at least in its current state of Oct. 10, and perhaps in the future).”
Unfortunately, as ransomware developers continue to refine their wares, they often eventually do find a way to forcibly encrypt files in a manner that precludes researchers from finding an easy way to decrypt them, as happened with Cerber ransomware (see Cerber 2 Ransomware: Free Decryption Tool Released).
Top Infection Vectors
The McAfee researchers say GandCrab typically infects systems in a number of ways:
GandCrab Targets ‘SandboxEscaper’ Exploit
GandCrab version 5 ships in two versions, with the first only working against Windows 7 or newer because of a compiling-time mistake, McAfee says. One version adds a .CRAB or .KRAB extension to crypto-locked files, while the other chooses a random five-letter extension.
The versions target exploits designed to escalate the malware’s permissions on the systems.
The first version targets a flaw revealed in August by the security researcher known as “SandboxEscaper,” they note, which has been designated as CVE-2018-8440 (see Microsoft Zero-Day Exploit Published Before Patch).
The other version targets CVE-2018-8120, a kernel privilege-escalation flaw in Windows 7, Windows Server 2008 and Windows Server 2008 R2 patched by Microsoft in May. A successful exploit allows the malware to run with system-level privileges, the McAfee researchers note.
Despite targeting these flaws, GandCrab version 5.0.2 often fails to work as advertised, the researchers say. “For example, in Windows XP, the second release of Version 5 runs but does not encrypt the files,” they say, noting that they know why, but in an effort to not help the ransomware development team, aren’t telling.
The first strains of GandCrab were spotted in January, crypto-locking infected PCs and demanding a ransom of between $300 to $500, payable in the virtual currency Dash, although some versions demanded bitcoin.
Dash is one of several virtual currencies that have sought to improve on bitcoin by making transactions less traceable. Security experts warned that the ransomware was frequently spread via legitimate sites that had been hacked by attackers (see Crabby Ransomware Nests in Compromised Websites).
In less than a month, Interpol warned, the ransomware had infected at least 50,000 systems. But Romanian security firm Bitdefender, together with Romanian police and the EU’s law enforcement intelligence agency, Europol, released a free decryption tool, which has been updated as the ransomware developers have updated their code (see Ransomware: No Longer Sexy, But Still Devastating).
Exploit Kit Blues
Unusually, from its start, GandCrab was also being spread via exploit kits.
These automated exploit kits probe systems – typically via their browser, in what’s known as drive-by attacks – for known flaws. Historically, the abundance of easily exploitable bugs in widely distributed software such as Internet Explorer, Java and Adobe Flash, gave attackers ample opportunities to build large botnets out of myriad compromised systems in little time.
But software vendors’ security improvements, including auto-updating software, have dramatically reduced the efficacy of these automated attack toolkits.
Even so, exploit kits aren’t dead yet. The same goes for ransomware, which was a dominant cybercrime tool throughout 2016 and 2017. But since the end of 2017, many criminals have instead focused on cryptocurrency theft, in particular via cryptojacking malware designed to mine for virtual currencies by stealing CPU power from victims.
But while ransomware attack growth may have stalled, it still remains an oft-seen, illicit money-making tactic (see Cybercrime: 15 Top Threats and Trends).
Best Bet: Prepare, Don’t Pay
Ransomware victims may face a difficult choice: Give attackers the ransom they demand, and hope they furnish the promised decryption key in exchange, or else kiss their data goodbye.
Law enforcement agencies have urged ransomware victims to never pay because doing so perpetuates the cybercrime cycle.
Security experts have long said that the best way to beat ransomware is to prepare, in particular by keeping all operating systems, applications and especially anti-virus software up to date with the latest security patches. Also keep up-to-date backups of all systems, so any crypto-locked systems can be wiped and restored. And ensure these backups get stored to disconnected media, because many ransomware strains today will encrypt not just local drives, but also network drives (see Scotland’s Arran Brewery Slammed by Dharma Bip Ransomware).
In some cases, victims who get caught out may still be saved thanks to free decryptors, as offered via the No More Ransom project.
In the case of GandCrab ransomware seen to date, victims may be lucky. Beyond Valthek’s free vaccines, Romanian cybersecurity firm Bitdefender has released a number of free decryptors, via No More Ransom, that can decypt some strains of GandCrab in some cases. “However, before using it, you need to ensure that you still have at least one ransom note present on the PC containing your unique user_id,” its documentation warns, since that ransom note contains details that Bitdefender’s systems may be able to use to decrypt the PC.