GandCrab

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Type
Ransomware
Origin
ex-USSR territory
First seen
26 January, 2018
Last seen
11 July, 2020
Global rank
14
Week rank
22
Month rank
28
IOCs
8044

What is GandCrab ransomware?

GandCrab is a ransomware type malware, which means that it encrypts files on infected machines and demands a ransom in cryptocurrency to restore the lost data. What’s more, this particular strain is distributed as a Ransomware-As-A-Service, allowing anybody to use this malware by purchasing access to a control dashboard.

Unique business model and constant updates of the malware, in turn, helped GandCrab to become one of the most widely spread ransomware of 2018.

General Description of GandCrab

Since its discovery on January 26, 2018, at least 5 versions of GandCrab were created. The authors of the ransomware are extremely active and respond to created countermeasures almost instantly, making GandCrab an elusive malware that continues to terrorize private and corporate victims today.

The last identified version of the malware is 5.1 and it targets users from all over the world with one exception – having originated in an ex-USSR country GandCrab is known to ignore users from X-USSR territories, identifying them by the keyboard or UI language settings. Only Windows operating systems are affected by the ransomware.

It should be noted, that the virus is assigned a different name by various antivirus software:

  • Ransom:Win32/GandCrab
  • Trojan.Ransom.GandCrab
  • Win32/Filecoder.GandCrab
  • Ransom.GandCrab
  • Trojan-Ransom.Win32.GandCrypt

Usually infecting users through mail spam or exploit kits, the ransomware redirects victims to a TOR website after the files on a victim’s PC are encrypted. For the newer versions of the malware, the only way of restoring the data is through paying the ransom, the amount of which usually fluctuates between 1000 and 3000 dollars. However, some victims, have reported that they were asked to pay as much as 700,000 USD.

Having a RaaS ( Ransomware-as-a-Service ) business model, GandCrab is distributed by the original creators to “clients”, who then deliver the malware to end victims, asking for a custom ransom amount through one of the unique features of the virus – customizable ransom notes. A percentage of the “revenue” is then shared with the malware authors, once a ransom is secured.

GandCrab malware analysis

ANY.RUN provides the ability to watch the GandCrab malware in action in interactive virtual machine simulation. Notably, ANY.RUN simulation can be used to view the stages of the virus life cycle:

  • Infection. A victim downloads and opens infected Microsoft Office file which contains a script programmed to download and start the execution of the virus
  • Execution and information gathering. After the start of the execution process, GandCrab collects information about the user. At this stage, the execution of the virus is stopped if a Russian keyboard layout or user interface is detected;
  • The malware checks for the presence of antivirus drivers and stops all processes that involve files that it wants to encrypt;
  • The ransomware decrypts the ransom record held in the binary;
  • Next, a key pair is generated;
  • The virus enumerates file and decryptors;
  • GandCrab proceeds to encrypt the files;
  • The malware establishes communication with the server;
  • After that, the malware will try to delete all shadow copies;
  • Finally, a ransom note is displayed to the user.

wallpaper after infection by gandcrab ransomware

Figure 1: Some versions of GandCrab are known to change the desktop wallpaper. This function is omitted in version 5.0.

ransomnote displayed by gandcrab v5.1

Figure 2: A ransomware note displayed by GandCrab v5.1

The following contamination processes are launched by the ransomware:

  • Starts CMD.EXE for commands execution
  • Executes PowerShell scripts
  • Downloads executable files from the Internet
  • Connects to CnC server
  • Makes registry changes
  • Runs wmic.exe
  • Executes vssvc.exe
  • Deletes shadow copies
  • Runs NOTEPAD.EXE

The whole contamination process can be seen in a video, displaying the ANY.RUN simulation.

gandcrab execution process graph

Figure 3: Illustrates the processes launched by GandCrab during its life cycle.

To build itself into the system, GandCrab starts with decrypting an extension name record that is held in the binary. By going through logical drives from “a” to “z” the malware separates all drives that are equal to 0x2 and not equal to 0x5, creating and separating thread to enumerate and encrypt all data that is prepared for encryption. After the encryption is complete, the malware uses wmic to erase all shadow copies. As a result, all data remains affected by the ransomware even after a reboot.

The ransomware leaves behind artifacts that can help to recognize the version. Those exist in the form of extensions of encrypted files.

  • Version 1 gives the .gdcb extension
  • Version 2 and 3 give the .crab extension
  • Version 4 gives the .krab extension
  • Version 5 gives a randomized 5 or more letter extension

How to avoid infection by GandCrab?

Creators of GandGrab patch all exploits in the malware code fairly quickly, which makes the development of countermeasures tricky. Upon contamination with on of the latest versions, the only way to restore the lost data is to pay the ransom. Thus, the best way to stay safe is to prevent contamination.

  • By keeping digital copies of important files in multiple places
  • By making sure that the antivirus software is reliable and updated
  • Avoiding digital downloads on suspicious or unknown websites
  • Avoiding opening the attached files in emails, especially those coming from unknown senders.
  • And not paying the ransom if infected.

That said, effective countermeasures do exist for older versions of the ransomware, including free decrypters and Killswitches. Most notably, a Killswitch for GandCrab v4.1.2 was developed by a cyber threat analysis and response company Ahnlab. The defensive application exploits the mechanics of GandCrab ransomware by creating a file with the .lock extension, which simulates the files that GandCrab itself generates and uses to check whether the victim's computer is included in the record of previously affected machines to avoid double decryption.

The execution of the ransomware stops upon discovery of .lock file if it is placed in %Application Data% for Windows versions before Windows 7 and in %ProgramData% directory for newer OS versions. Even in cases when the malware has already activated, the killswitch will prevent some of the damage.

Interestingly, in response to the killswitch, the GandCrab authors released an exploit, targeting the Ahnlab antivirus software. The exploit was introduced in version v4.2.1 and v4.3 of the malware but did not cause sufficient harm to the antivirus users.

For versions 1, 4 and up through 5.1 there are free decryption tool from Bitdefender.

Distribution of GandCrab

The ransomware is known to utilize multiple attack vectors, however, compromised list and spam email campaigns are the most commonly used delivery channels. Being delivered to users in spam emails, GandCrab tricks users into downloading a ZIP archive which contains a file that triggers the download and execution.

GandCrab execution process

An illustration of an execution process can be found below.

gandcrab execution process tree

Figure 4. Analysis of the GandCrab execution process in ANY.RUN

The following behavioural activities are shown in ANY.RUN’s report.

text report of the gandcrab ransomware analysis

Figure 5: A text report created in ANY.RUN

During the execution the malware creates several artifacts that can be viewed in detail in the ANY.RUN simulation.

With file encryption being the main goal of the payload, the malware launches a command line with pre-specified parameters after opening a Microsoft Word file. Startup powershell is then sent as command line parameters, followed by downloading and launching the executable file from the Internet.

How to detect Gandcrab using ANY.RUN?

You can take a look inside files using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

gandcrab ransom note

Figure 6: Gandcrab ransom note

Conclusion

Thanks a unique business model which involves selling the ransomware as a service and defining characteristics like customizable ransom notes, GandCrab’s popularity quickly escalated in 2018, making the virus the most widely spread ransomware of the year.

Unfortunately, the creators proved to be very active and continued to respond quickly to all attempts to create effective countermeasures. While adhering to common practices of staying safe on the internet decreases the probability of getting attacked greatly, running interactive sandbox simulations in a service such as ANY.RUN is the best way to ensure personal or corporate safety.

P.S.

On the 1st June, 2019 creators of the GandCrab ransomware made a post in which they stating that they have generated more than $2 billion in ransom payments, with average weekly payments of $2.5 million dollars. They also said that they have personally earned $150 million, which they have cashed out and invested in legal business entities. In the same post, they announced about ending of distributing the ransomware within 20 days and that keys will be deleted.

IOCs

IP addresses
204.11.56.48
66.171.248.178
164.132.235.17
188.165.53.185
103.224.212.222
87.98.154.146
192.168.100.104
18.215.128.143
213.186.33.5
213.186.33.17
209.99.40.222
213.186.33.4
134.0.10.169
192.168.100.241
66.96.147.103
93.88.241.198
217.70.184.50
74.220.199.8
80.74.142.130
62.2.99.251
Hashes
ef2cc603adea56cea76d70761ce4d61efe5c2d8e4a7f8d9d126a0d43928b5e80
6a623b1e016fc0df94fe27a3eb9cc1128c5ee3831a7dcc8e4879427167a41501
846ad2d7e1e133ae4bc2decbc22ae686a44cccaffbee15b4d9b23143f6aa8d3f
233437b647f9482a8a3ba51d0af69039bb58fb48609704a39db1f709a0e6aca6
7a682a24747c8ad4aaaad593c225d8d50ff9f0110c581a056045912e4306d529
4b5fe7497864d07f78af15fa3e1aa3702b303b89f9644624871d83dd0f484749
bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
752abdfadac7c76e831d84ae5877a2a7d7716a6cda642e3d235e205701af3786
d1a4a07b17bbefbe6b7aef72a57ca0a46ace4ea79056ff570a28102aff8f8442
ce093ffa19f020a2b73719f653b5e0423df28ef1d59035d55e99154a85c5c668
eddf2556d4b76b93df6cdb2e987e44e3bb880a2124122d7fbedceec8238283e9
5f70e59ceb5cf6e5a7f5876dffde65a03ed13d8ca16ab90882a2fb81172566ab
c1a66da25419855f684261ac55f796127d84ca7bb9e089b1eb18afde66d1da7c
684bab9339f6a3ee8d25bac2fb4c7bc353df10c26421261ae4ddc21529af26c6
5e51d6ad5674136c037c1d46d5316e674a3f766e2c4977f47209ebb83281a8c1
a80e29a4ab7b64fad34b15e808d57588d0b85f775fa366541a45b8e7076bd6df
7fd660894a473fe94690eb5f63adefac02379960ac1b828418d6cdb3b06ecedb
c56f552d4e78bea25a724327d8c66a6f52d851e44d445c5007e3c03e5b33b867
01f5ecacb43227299477c0c0cd8c71b14f623714005c1b88d53950e316f4f2d3
f13c477ae96c78a1aac0505b461fa37a900362c065bff74f49f50a4456d546bb
Domains
shop.definitelykingsley.com
penweb01.jabill.com
isns.net
oceanlinen.com
www.workitive.com
genevievegauthier9.wixsite.com
www.artificial-intelligence-cobots-manufacturing.com
www.stmo-f.com
www.sqlcodingcamp.com
www.hrcoreacademy.com
ajtvdf.wixsite.com
www.mourningsunchildren.org
www.signzillatraining.com
www.eu-landing.corp.pluto.tv
www.hudsoncountysheriff.com
www.pawfect4u.com
www.cootlogix.com
www.andrewamahoney.com
www.adidashardware.com
www.k-pagador.com

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More