DOCSLIB.ORG

The Evolution of Gandcrab Ransomware

The Evolution of Gandcrab Ransomware

The Evolution of GandCrab Ransomware Tamas Boczan @tamas_boczan Sr. Threat Analyst Why? Why? Why? Business Model: RaaS Panel for Affiliates Mass Delivery Methods • Email attachments - Javascript - Doc - Encrypted doc • Drive- by download Delivery: RDP, Exploits Payload: Starting Point Data collection • System Info • External IP • AV? Payload: Starting Point Data collection Connect Home • System Info • nslookup • External IP • AV? Payload: Starting Point Data collection Connect Home Preparation • System Info • nslookup • Kill Processes • External IP • AV? Payload: Starting Point Data collection Connect Home Preparation Encryption • System Info • nslookup • Kill Processes • AES • External IP • *.GDCB • AV? Payload: Starting Point Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? Feb 28: Europol decryptor Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.GDCB • AV? 7 days later: v2 Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • *.CRAB • AV? • Kernel-AV 7 weeks later: v3 Post-Infection • Shadow Copies • Wallpaper v4 Data collection Connect Home Preparation Encryption Post-Infection • System Info • nslookup • Kill Processes • AES • Shadow Copies • External IP • Salsa • Wallpaper • AV? • *.KRAB • Self-removal • SMB shares v4.1 Data collection Connect Home Preparation Encryption Post-Infection • System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • *.KRAB • Wallpaper • SMB shares • Self-removal Vaccine: Jul 13 4 d 2d 1d Zero day details 4 d 2d 1d 13 d • BSOD, no RCE • Full disclosure, not used • Why? - Retaliation - Overestimated impact • Probably just fuzzed it v5 Data collection Connect Home Preparation Encryption Post-Infection • System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal v5: Maintenance Data collection Connect Home Preparation Encryption Post-Infection • System Info • WPress hacks • Kill Processes • Salsa • Shadow Copies • AV? • URL generation • Escalate • *.{Random} • Wallpaper • SMB shares • Self-removal Retired? What We Learned: Developer’s Profile • > RaaS marketing skills • Project organization: > react quickly < poor quality • Exploit development capability: > implement exploits based on POCs > find simple exploit via fuzzing < can’t develop more complex RCE exploit < can’t guess impact of an exploit The Evolution of GandCrab Ransomware Tamas Boczan @tamas_boczan Sr. Threat Analyst.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    25 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us