GandCrab Ransomware
Versa Networks
October 4, 2018
Ransomware is a form of malicious software that latches onto a system and encrypts the files within it, making them inaccessible to the user. The attackers behind this malicious activity typically demand payment in terms of currency (crypto or cash) in return for the keys to decrypt the files. A recent ransomware which has become viral since January 2018 is named GandCrab. This ransomware is believed to be distributed as a Ransomware-as-a-Service [2,3].
GandCrab initially differentiated from other ransomware by demanding a ransom in DASH [7] cryptocurrency. The developers behind GandCrab have been continuously updating and releasing improved versions, with approximately six variants observed to date: GDCB, GandCrab V2, GandCrab V3, GandCrab V4, GandCrab V4.1, GandCrab V4.1.2 [5].
The variants differ in terms of distribution mechanism and attack-vector features they utilize. Our goal of this blog is to take quick look into these variants and provide insightful information into how they are impacting users and IT across the globe. For the first iteration of GandCrab (GDCB v1), security firm and vendor Bitdefender released a decrypter, but the developers behind this ransomware have since released many improved variants making this iteration of the decrypter ineffective. [6]
GandCrab employs a variety of methods to propagate itself, some of which include using JavaScript droppers, document droppers as well as exploit kits [1]. What brought this specific ransomware out from under the radar was the use of widespread email phishing campaigns. As part of these email spam campaigns, the emails contain archived attachments that included hidden JavaScript or document droppers that are obfuscated. The javascripts/vba scripts after deobfuscation execute one-line powershell commands to download and execute malicious payload. In addition, this approach, another variant uses the same distribution technique of email spamming, but directly downloads and executes the file without going through the powershell [3]. Other methods utilized Rig and GrandSoft exploit kits for spreading the ransomware. Cisco Talos later found that the newer variants also resorted to using compromised websites as part of the attack vector, one of which included a website for a courier service and a WordPress site[4].
The GandCrab ransomware uses custom packing in addition to techniques like reflective DLL loading to obfuscate the binary. While version 1 unpacked itself into memory with RWE permissions and executed, version 2 made use of a reflective DLL technique to load itself into memory and later versions (v4 and others) moved away from using this technique. [3]
The basic workflow of this ransomware consists of first extracting system specific information of the victim: the antivirus systems used, local disk type and available space information. It passes this information to its command control and uses the data to perform a preliminary check to avoid encryption for specific targets. It then terminates processes critical to the files targeted to be encrypted and tries to achieve one-time persistence. This ransomware also uses a common technique of storing the ransom note as well as the lists of file extensions to be avoided for encryption in xored format within the binary itself. These are decrypted on the fly when GandCrab executes.
The next major component of the ransomware workflow is key generation. There are mainly three types of encryptions used:
- RSA-2048 for encrypting the AES keys
- AES keys and IV for encrypting individual files
- RC4 for encrypting the content to be sent to command control
An initial connection to command control is established after the encryption process begins. The ransomware iterates through the local disk to find files to encrypt after checking against the list of defined exceptions. After all targeted files are encrypted it sends the statistics and status of the encryption process to command control and deletes any shadow volume copies.
With the rise of malware and ransomware, the enterprise branch is at increased risk of being impacted by unsuspecting users clicking on seemingly benign emails which are used in these phishing and spam campaigns. Comprehensive security is needed not only the user-devices but the networking and edge services that provide connectivity and visibility to the Internet and corporate resources. While SD-WAN serves to provide seamless and easier cloud access with native secure site-to-site connectivity, organizations still need a validated and recommended security solution to detect, protect and notify against evolving threats such as ransomware.
Versa Networks unifies and integrates advanced security and networking into a cloud-native contextually-aware software stack that delivers SD-WAN and security as a fully integrated solution.
The AV engine in Versa VOS™ (formerly FlexVNF) can detect the different versions, as well as identify and protect against the various stages of the GandCrab ransomware lifecycle.
If you are interested in understanding more about how Versa Networks can mitigate your WAN edge risk, contact us or reach out and request a live demonstration.
References
[1] https://www.acronis.com/en-us/articles/gandcrab/
[2] https://research.checkpoint.com/gandcrab-ransomware-mindset/
[3] https://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/
[4] https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html
[5] https://www.2-spyware.com/remove-gandcrab-ransomware.html
[6] https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/
[7] https://www.dash.org/