The Evolution of GandCrab Ransomware
Tamas Boczan @tamas_boczan Sr. Threat Analyst Why? Why? Why? Business Model: RaaS Panel for Affiliates Mass Delivery Methods
• Email attachments - Javascript - Doc - Encrypted doc • Drive- by download Delivery: RDP, Exploits Payload: Starting Point
Data collection
• System Info • External IP • AV? Payload: Starting Point
Data collection Connect Home
• System Info • nslookup • External IP • AV? Payload: Starting Point
Data collection Connect Home Preparation
• System Info • nslookup • Kill Processes • External IP • AV? Payload: Starting Point
Data collection Connect Home Preparation Encryption
• System Info • nslookup • Kill Processes • AES • External IP • *.GDCB • AV? Payload: Starting Point
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? Feb 28: Europol decryptor
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? 7 days later: v2
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.CRAB • AV? • Kernel-AV 7 weeks later: v3
Post-Infection
• Shadow Copies • Wallpaper v4
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • Salsa • Wallpaper • AV? • *.KRAB • Self-removal • SMB shares v4.1
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • *.KRAB • Wallpaper • SMB shares • Self-removal Vaccine: Jul 13
4 d 2d
1d Zero day details
4 d 2d
1d 13 d
• BSOD, no RCE • Full disclosure, not used • Why? - Retaliation - Overestimated impact
• Probably just fuzzed it v5
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal v5: Maintenance
Data collection Connect Home Preparation Encryption Post-Infection
• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal Retired? What We Learned: Developer’s Profile
• > RaaS marketing skills • Project organization: > react quickly < poor quality • Exploit development capability: > implement exploits based on POCs > find simple exploit via fuzzing < can’t develop more complex RCE exploit < can’t guess impact of an exploit The Evolution of GandCrab Ransomware
Tamas Boczan @tamas_boczan Sr. Threat Analyst