The Evolution of Gandcrab Ransomware

The Evolution of GandCrab Ransomware

Tamas Boczan @tamas_boczan Sr. Threat Analyst Why? Why? Why? Business Model: RaaS Panel for Affiliates Mass Delivery Methods

• Email attachments - Javascript - Doc - Encrypted doc • Drive- by download Delivery: RDP, Exploits Payload: Starting Point

Data collection

• System Info • External IP • AV? Payload: Starting Point

Data collection Connect Home

• System Info • nslookup • External IP • AV? Payload: Starting Point

Data collection Connect Home Preparation

• System Info • nslookup • Kill Processes • External IP • AV? Payload: Starting Point

Data collection Connect Home Preparation Encryption

• System Info • nslookup • Kill Processes • AES • External IP • *.GDCB • AV? Payload: Starting Point

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? Feb 28: Europol decryptor

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? 7 days later: v2

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.CRAB • AV? • Kernel-AV 7 weeks later: v3

Post-Infection

• Shadow Copies • Wallpaper v4

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • Salsa • Wallpaper • AV? • *.KRAB • Self-removal • SMB shares v4.1

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • *.KRAB • Wallpaper • SMB shares • Self-removal Vaccine: Jul 13

4 d 2d

1d Zero day details

4 d 2d

1d 13 d

• BSOD, no RCE • Full disclosure, not used • Why? - Retaliation - Overestimated impact

• Probably just fuzzed it v5

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal v5: Maintenance

Data collection Connect Home Preparation Encryption Post-Infection

• System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal Retired? What We Learned: Developer’s Profile

• > RaaS marketing skills • Project organization: > react quickly < poor quality • Exploit development capability: > implement exploits based on POCs > find simple exploit via fuzzing < can’t develop more complex RCE exploit < can’t guess impact of an exploit The Evolution of GandCrab Ransomware

Tamas Boczan @tamas_boczan Sr. Threat Analyst