BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
23
Global rank
49 infographic chevron month
Month rank
42 infographic chevron week
Week rank
1310
IOCs

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Ransomware
Type
ex-USSR territory
Origin
26 January, 2018
First seen
22 May, 2024
Last seen

How to analyze GandCrab with ANY.RUN

Type
ex-USSR territory
Origin
26 January, 2018
First seen
22 May, 2024
Last seen

IOCs

IP addresses
195.15.227.239
136.243.162.140
77.75.249.22
217.26.60.254
18.132.18.63
128.65.195.174
217.26.53.161
103.138.88.36
168.206.51.90
67.227.236.96
172.96.14.134
217.61.17.155
51.83.128.59
51.15.241.96
49.51.163.133
8.208.83.31
217.8.117.33
80.249.146.244
188.68.221.93
84.38.183.181
Hashes
c5fe2bbd7c54278d812565c4e99168ab18023ff43952ee445eeb7b45092b3729
8ee437ae0473df4344ebc939b3cb7bfdbf4d6192445cadc22a6ddf0e81c005e2
1e87276f47318753a67a192eac3bb4484f112c95f39db030d83e86fe48bd328c
7037c4b93eab0cba03bbf12c72aeb09fc6cae90367e8f9629aaddf1f38289b34
7339fb9166c5ad4eca219ec5f90290e0a820a7871a5f9fcdb5c3ba57e4c2bad5
6c037b1dcc0017241f46c769113de2d6b5d3c0de285e32d9a46692710794a61d
4934b45044677c790a7ceb7349ab6d6fdfbca2be6f923083b3f0795cea712c26
3eba73bdea2457f2cd6bd48fa578e30787036719a1367fe55c885d5bd55dca18
88a3c439a9525bbee09c2ee1bb512c695f875dc2f1894b28fc09dd86318bdd71
2a328f434e3426560858967589f93fbedd1ac618220f6f61d80211715b7403af
468f37fcaadf8e1e360504dd37d9ba00df2b812d3c29c79f5c74e4f620fd5a89
3ddfd75863884079811d1f0cd6a505a79ec918be5956f27f853cf99debab45f0
8202bd979da329207228193183be41e1036d4ae1ed39349b554272da62dcb1a5
b189714ec7acd7ea2e22ad53686f9ffff9819ada2a042e5179383749d7b48303
70e0ffd461835bda1d1b69bdcdadfe648db285f282f0e749c9d25ab0a5de5065
c23e632dd8f9d37c7ada28198dee2c69c09c6e6d54a09e45ee234e989266148d
a73c45c3b4469032b69c3622704026b0d6bb727ffbed4a8577d3f03b468fdf98
850d2c4fa1b9e0a06d6ac316cefed1d4922dc39f57481d388c47ef962a4c28ea
a856bd012a42b2e85a63a299bf064fa1daa26e22dd36db3a3832afbd8f618f78
b8db13dd5174f163f84223ade10f26cca95e9c9aaeb2a3542d9391141873cf6f
Domains
doomaricom.ddns.net
poketeg.com
perfectfunnelblueprint.com
cryptsen7fo43rr6.onion.to
perovaphoto.ru
pp-panda74.ru
zsr7pln56d2ovr85.com
cryptsen7fo43rr6.onion
ns2.wowservers.ru
priceclub.su
gandcrabmfe6mnef.onion
getsee.club
fabbfoundation.gm
ns1.wowservers.ru
ns1.cloud-name.ru
fliptray.biz
2mmotorsport.biz
la-fontaine.com
kroneregensberg.com
seitensprungzimmer24.com
URLs
http://www.haargenau.biz/uploads/tmp/esamfu.bmp
http://www.haargenau.biz/
http://www.macartegrise.eu/
http://www.macartegrise.eu/news/images/kemoheda.png
http://www.macartegrise.eu/news/images/thso.bmp
http://www.wash-wear.com/data/pics/thzuhedameme.gif
http://www.wash-wear.com/
http://www.macartegrise.eu/wp-content/assets/kada.bmp
http://asl-company.ru/includes/image/semohe.jpg
http://asl-company.ru/
http://www.macartegrise.eu/wp-content/graphic/imzues.png
http://www.kakaocorp.link/includes/graphic/thseessomode.jpg
http://www.kakaocorp.link/
http://www.kakaocorp.link/data/imgs/daimso.jpg
http://www.kakaocorp.link/uploads/tmp/imamfuso.jpg
http://www.macartegrise.eu/wp-content/tmp/moth.png
http://www.kakaocorp.link/data/tmp/immethim.png
http://perovaphoto.ru/data/image/esmeke.jpg
http://www.poketeg.com/news/assets/dezumo.gif
http://www.mimid.cz/news/pics/kekasethmo.jpg
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 51
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 723
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 570
comments 0

What is GandCrab ransomware?

GandCrab is a ransomware-type malware, which means that it encrypts files on infected machines and demands a ransom in cryptocurrency to restore the lost data. What’s more, this particular strain is distributed as a Ransomware-As-A-Service, allowing anybody to use this program by purchasing access to a control dashboard.

A unique business model and constant updates of the malware, in turn, helped GandCrab to become one of the most widely spread ransomware of 2018.

General Description of GandCrab

Since its discovery on January 26, 2018, at least 5 versions of GandCrab were created. The authors of the program are extremely active and respond to created countermeasures almost instantly, making GandCrab an elusive malware that continues to terrorize private and corporate victims today.

The last identified version of the malware is 5.1 and it targets users from all over the world with one exception – having originated in an ex-USSR country GandCrab is known to ignore users from X-USSR territories, identifying them by the keyboard or UI language settings. Only Windows operating systems are affected by ransomware.

It should be noted, that the virus is assigned a different name by various antivirus software:

  • Ransom: Win32/GandCrab
  • Trojan.Ransom.GandCrab
  • Win32/Filecoder.GandCrab
  • Ransom.GandCrab
  • Trojan-Ransom.Win32.GandCrypt

Usually infecting users through mail spam or exploit kits, the ransomware redirects victims to a TOR website after the files on a victim’s PC are encrypted. For the newer versions of the malware, the only way of restoring the data is through paying the ransom, the amount of which usually fluctuates between 1000 and 3000 dollars. However, some victims, have reported that they were asked to pay as much as 700,000 USD.

Having a RaaS ( Ransomware-as-a-Service ) business model, GandCrab is distributed by the original creators to “clients”, who then deliver the malware to end victims, asking for a custom ransom amount through one of the unique features of the virus – customizable ransom notes. A percentage of the “revenue” is then shared with the malware authors, once a ransom is secured.

GandCrab malware analysis

ANY.RUN provides the ability to watch the GandCrab program in action in interactive virtual machine simulation. Notably, ANY.RUN simulation can be used to perform the analysis of the stages of the virus life cycle:

  • Infection. A victim downloads and opens infected Microsoft Office file which contains a script programmed to download and start the execution of the virus;
  • Execution and information gathering. After the script has started the execution process, GandCrab collects information about the user. At this stage, the execution of the virus is stopped if a Russian keyboard layout or user interface is detected;
  • The malware checks for the presence of antivirus drivers and stops all processes that involve files that it wants to encrypt;
  • The ransomware decrypts the ransom record held in the binary;
  • Next, a key pair is generated;
  • The virus enumerates file and decryptors;
  • GandCrab proceeds to encrypt the files;
  • The malware establishes communication with the server;
  • After that, the malware will try to delete all shadow copies;
  • Finally, a ransom note is displayed to the user.

wallpaper after infection by gandcrab ransomware

Figure 1: Some versions of GandCrab are known to change the desktop wallpaper. This function is omitted in version 5.0.

ransomnote displayed by gandcrab v5.1

Figure 2: A ransomware note displayed by GandCrab v5.1

The following contamination processes are launched by the ransomware:

  • Starts CMD.EXE for commands execution
  • Executes PowerShell scripts
  • Downloads executable files from the Internet
  • Connects to CnC server
  • Makes registry changes
  • Runs wmic.exe
  • Executes vssvc.exe
  • Deletes shadow copies
  • Runs NOTEPAD.EXE

The whole contamination process can be seen in a video, displaying the ANY.RUN simulation.

gandcrab execution process graph

Figure 3: Illustrates the processes launched by GandCrab during its life cycle.

To build itself into the system, GandCrab starts with decrypting an extension name record that is held in the binary. By going through logical drives from “a” to “z” the malware separates all drives that are equal to 0x2 and not equal to 0x5, creating and separating thread to enumerate and encrypt all data that is prepared for encryption. After the encryption is complete, the malware uses wmic to erase all shadow copies. As a result, all data remains affected by the program even after a reboot.

The ransomware leaves behind artifacts that can help to recognize the version. Those exist in the form of extensions of encrypted files.

  • Version 1 gives the .gdcb extension
  • Version 2 and 3 give the .crab extension
  • Version 4 gives the .krab extension
  • Version 5 gives a randomized 5 or more letter extension

How to avoid infection by GandCrab?

According to the analysis, creators of GandGrab patch all exploits in the malware code fairly quickly, which makes the development of countermeasures tricky. Upon contamination with on of the latest versions, the only way to restore the lost data is to pay the ransom. Thus, the best way to stay safe is to prevent contamination.

  • By keeping digital copies of important files in multiple places
  • By making sure that the antivirus software is reliable and updated
  • Avoiding digital downloads on suspicious or unknown websites
  • Avoiding opening the attached files in emails, especially those coming from unknown senders.
  • And not paying the ransom if infected.

That said, effective countermeasures do exist for older versions of the ransomware like Troldesh or Nemty, including free decrypters and Killswitches. Most notably, a Killswitch for GandCrab v4.1.2 was developed by a cyber threat analysis and response company Ahnlab. The defensive application exploits the mechanics of GandCrab ransomware by creating a file with the .lock extension, which simulates the files that GandCrab itself generates and uses to check whether the victim's computer is included in the record of previously affected machines to avoid double decryption.

The execution of the ransomware stops upon discovery of .lock file if it is placed in %Application Data% for Windows versions before Windows 7 and in %ProgramData% directory for newer OS versions. Even in cases when the malware has already activated, the killswitch will prevent some of the damage.

Interestingly, in response to the killswitch, the GandCrab authors released an exploit, targeting the Ahnlab antivirus software. The exploit was introduced in version v4.2.1 and v4.3 of the malware but did not cause sufficient harm to the antivirus users.

For versions 1, 4 and up through 5.1 there are free decryption tool from Bitdefender.

Distribution of GandCrab

Based on the analysis, ransomware is known to utilize multiple attack vectors, however, compromised list and spam email campaigns are the most commonly used delivery channels. Being delivered to users in spam emails, GandCrab tricks users into downloading a ZIP archive that contains a script file that triggers the download and execution.

GandCrab execution process and technical malware analysis

An illustration of an execution process can be found below.

gandcrab execution process tree

Figure 4. Malware analysis of the GandCrab execution process in ANY.RUN

The following behavioural activities are shown in ANY.RUN’s malware analysis report.

text report of the gandcrab ransomware analysis

Figure 5: A text report created in ANY.RUN

During the execution the malware creates several artifacts that can be viewed in detail in the ANY.RUN simulation.

With file encryption being the main goal of the payload, the malware launches a command line with pre-specified parameters after opening a Microsoft Word file. Startup powershell is then sent as command line parameters, followed by downloading and launching the executable file from the Internet.

How to detect Gandcrab using ANY.RUN?

You can perform malware analysis of files using ANY.RUN's "Static Discovering". Open either "Files" tab in the lower part of the task's window or click on the process and then on the button "More Info" in the appeared window. After that, all you need to do is just click on the file.

gandcrab ransom note

Figure 6: Gandcrab ransom note

Conclusion

Thanks a unique business model which involves selling the program as a service and defining characteristics like customizable ransom notes, GandCrab’s popularity quickly escalated in 2018, making the virus the most widely spread ransomware of the year.

Unfortunately, the creators proved to be very active and continued to respond quickly to all attempts to create effective countermeasures. While adhering to common practices of staying safe on the internet decreases the probability of getting attacked greatly, running interactive sandbox malware analysis in a service such as ANY.RUN is the best way to ensure personal or corporate safety.

P.S.

On the 1st June 2019 creators of the GandCrab ransomware made a post in which they stating that they have generated more than $2 billion in ransom payments, with average weekly payments of $2.5 million dollars. They also said that they have personally earned $150 million, which they have cashed out and invested in legal business entities. In the same post, they announced about ending of distributing the program within 20 days and that keys will be deleted.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy