GandCrab: The most popular multi-million dollar ransomware of 2018
Ransomware has been around for years and has inflicted financial losses estimated in the billions of dollars. As one of the most lucrative types of malware, from a financial perspective, ransomware developers have invested considerable time, effort, and knowledge into perfecting both its delivery mechanisms and its capabilities.
Traditional ransomware families such as CryptoWall and CryptoLocker mostly focused on the average user and demanded payments ranging from $200 to $500 in the past, but ransomware developers figured they could significantly increase their profit if they targeted organisations and companies, which have significantly more valuable data, such as databases and intellectual property.
In late January 2018, GandCrab was potentially born from the need to further monetise encrypted data from organisations, by customising ransom notes based on the victim’s profile and the type of encrypted data. Consequently, a GandCrab ransom demand could range from $600 to $700,000 per victim. This change in behavior likely led to a significant leap in revenue for cybercriminals, particularly since they started delivering it as-a-service.
GandCrab: The most popular ransomware of 2018
The GandCrab ransomware family emerged in late February 2018 and was quickly adopted by cybercriminals because it offered something no other ransomware family had offered before: custom ransom notes. While the average user would be reluctant to spend as much as $500 to get their data back, organisations and companies that manage client databases or have intellectual property on their servers would be far more interested in paying larger amounts of money.
Currently, the most prolific versions of GandCrab are versions 4 and 5, which are estimated to have infected around 500,000 victims worldwide, since July 2018. Considering the lowest ransom note is $600 and almost half of infected victims give in to ransomware, the developers might have made at least $300 million in the past couple of months alone. And actual financial losses could be significantly higher, considering that some victims have reported a ransom notes of $700,000.
With traditional ransomware, the victim – whether it be a hospital or a company – would have to contact the ransomware developer and negotiate a smaller fee to pay if they had a large number of endpoints infected. This process usually takes time.
Improvements brought on by GandCrab make the entire process more seamless, by adjusting the ransom note for each victim, based on the type of encrypted files. For example, if the infected server holds a large database, the ransom note will probably range in the thousands of dollars, but if the server holds less valuable information the ransom note could be as low as $600.
Another interesting aspect of GandCrab is the adoption of DASH as well as Bitcoin payments. DASH is basically a forked Bitcoin protocol that enables faster transactions that are untraceable. This made moving virtual currency around more secure and completely anonymous.
Interestingly, one of the most interesting features of the ransomware is that, when performing reconnaissance on the victim’s system, before actually starting to encrypt files, it will identify whether the keyboard layout is in Russian and will abort the entire process, effectively choosing not to infect Russian-speaking victims.
Also, before actually starting the encryption process, it will check whether there are processes that have locked handles for specific file types that GandCrab may want to encrypt. Basically, it will close all document viewers and editors, email clients, web browsers, database applications, and even game engines, before actually starting the encryption process. This process makes sure no files are missed and that every file of importance is encrypted.
Popular GandCrab infection vectors
Some of the most popular infections vectors used to spread GandCrab revolve around emails with attachments. While the most popular attachment is usually a .ZIP archive that usually contains a script (e.g. JavaScript, PowerShell, etc.), cybercriminals have also been using popular web-based exploit kit. RIG and GrandSoft are normally the most popular exploit kits used to deliver GandCrab to victims, usually abusing unpatched Flash or Adobe Reader vulnerabilities.
Interestingly, ransomware developers have also teamed up with botnet operators to either start planting ransomware on infected systems or use the botnet to spread emails with infected attachments. Using a shared revenue model, botnet operators could receive a per centage off the ransom paid by each victim, because they facilitated the service. This new monetisation process of botnets and ransomware is not new, but it does show that cybercriminal groups can gang together for financial gain.
There have also been confirmed cases of GandCrab infections within organisations, where threat actors managed to bruteforce the domain password or a machine serving remote desktop protocol (RDP) within the organisation, and manually executed the ransomware on specific machines. This practically allowed the threat actors to first perform reconnaissance on the machine to ascertain the value of the stored information and data, then customise the ransom note based on how critical the information was and the company’s profile.
Ransomware-as-a-service
While ransomware itself can generate substantial revenue for cybercriminals, ransomware developers started offering ransomware kits on demand, either to the highest bidder or to whomever was interested. Ransomware-as-a-service enables anyone, even those with no technical knowledge, to use ransomware and customise it based on their own specifications. Everything from the language in which the ransom note is written to the amount of money requested from each victim, can easily be customised by non-tech savvy users using a simple web-based interface provided by attackers.
Traditionally, ransomware developers would ask for an upfront payment when requesting a customised ransomware kit. Now, they’ve embraced a shared-revenue model that enables them to get 30% of the ransom note paid by each victim. This new affiliation-based business model makes the initial cost of purchasing “clients” low, and at the same time stimulates adoption.
Besides getting access to a highly user-friendly interface that allows for customised ransomware dissemination and “features”, ransomware developers also offer 24-hour support, call center assistance, documentation, and even tutorials on how to configure, deploy, and use the ransomware and the management console hosted on the command and control (C&C) server.
Sometimes, for a small price, they even rent access to botnets that can help disseminate the email messages with infected attachments. These aggregated services are usually part of the same ransomware-as-a-service offering, enabling affiliates to launch global ransomware campaigns with just a couple of clicks — no technical skills — and immediate distribution.
Steering clear of ransomware, including GandCrab
Zakir Hussain, Director for BD Soft, highlights pointers on how you can stay safe. He said, ‘to stay clear of ransomware, users are strongly encouraged to have all software, including operating systems, updated with the latest security patches, perform regular backups or critical data, and make sure they’re using a security solution that can fend off ransomware.’
‘It’s also important to not give in to ransomware, as paying the ransom note will only serve to continue fueling cybercriminal activities, and there’s no guarantee the cybercriminal will actually give you the decryption key. Basically, you’ll be trusting a cybercriminal to keep his end of the bargain,’ added Hussain.
‘If you get infected, perform an image of the affected system and either treat the incident as a hardware failure or recover your data from a previous backup. Having an image of the encrypted files can prove beneficial, especially since ransomware decryption tools, such as the free Ransomware Recovery Tool, are constantly updated by security researchers to help recover any lost files,’ he concludes.
