GandCrab Ransomware: Cat-and-Mouse Game ContinuesFree Decryptor Combats 'Aggressive' Ransomware-as-a-Service Provider
To the list of life's certainties - death, taxes - add the following: always-in-development versions of cryptolocking ransomware, distributed by ransomware-as-a-service operators, designed to extort victims into paying in cryptocurrency for the promise of a decryption key that will restore their files.
See Also: What is next-generation AML?
Like all malware developers, ransomware coders have a financial incentive to keep updating their code, to try and help it bypass security defenses, including anti-virus and anti-malware tools. But ransomware developers also rely on their code to crypto-lock systems, and any cryptography errors they make can leave their victims able to decrypt their systems for free.
Since the beginning of the year, many online attackers have shifted to distributing cryptocurrency mining software. But ransomware - especially GandCrab, Satan and Data Keeper - remains still a threat, and sometimes gets distributed by attackers together with banking malware, miners and other malicious code (see Ransomware: No Longer Sexy, But Still Devastating).
"GandCrab has been particularly aggressive throughout 2018," Raj Samani, chief scientist at McAfee, recently told me.
Whereas in recent years, multiple ransomware families competed, this year "GandCrab basically took over the whole market of ransomware-as-a-service," thanks in part to its marketing prowess, Tamas Boczan, a senior threat analyst at VMRay, tells me. He's been tracking the evolution of GandCrab, and presented research to that effect on Friday at GreHack, a hacking and information security conference held in Grenoble, France.
Boczan says that GandCrab has undergone furious revision since it appeared in January, evolving from very basic ransomware into attack code that now "uses multiple exploits and anti-reversing tricks."
MasterCrab Battles GandCrab
Even so, on Friday, the independent malware researcher known as Valthek released a free decryptor for GandCrab ransomware versions 5.0 to 5.0.3, although he says it also potentially works with version 5.0.4.
Valthek says he's been able to reverse-engineer the malware. "The decryption works because I reverse the malware fully, [I] only need your key," Valthek tells me.
To use the decryptor, called MasterCrab, a victim must obtain the "rsa.bin" private decryption key tied to their GandCrab infection and place a copy in the same folder as the decryptor.
Valthek says he wishes he had the ability to generate this key for victims, but does not. That ability, at least for GandCrab version 5 victims, only appears to reside with Romanian security firm Bitdefender, which has previously published free decryptors for various strains of ransomware, including multiple versions of GandCrag. So for anyone infected by GandCrab version 5 for whom the Bitdefender decryptor doesn't work, victims might appeal to Bitdefender to give them a copy of the required key.
Its free GandCrab free decryptor requires an active internet connection, as well as a copy of the ransom note on a victim's PC. Behind the scenes, Bitdefender appears to be able to crack the private encryption key used to crypto-lock the victim's PC, which then allows the victim to decrypt their files. To do that, a victim must first upload a copy of their ransom note.
"The note is unique to the way your files are encrypted," says Bogdan Botezatu, Bitdefender's director of threat research. "Every ransom note is tied to one computer and one computer only."
In response to Valthek saying that his firm should share its private key cracking ability, Botezatu says that Bitdefender prefers to control the ability to provide private keys to victims, to ensure that the service is always provided for free.
"We offer the tool for free and provide free support for it. People who can't solve the infection themselves are offered free remote desktop assistance," he says via Twitter. "This helps them both get the data back and pay nothing in return of it. This is hard to beat."
(6/x) Ultimately, the last thing the world needs is middle-men building tools around these decryption keys, slapping some marketing and SELLING them or otherwise peddling paid-for support to victims. Our decryptors and support are - and will always be - free.— Bogdan Botezatu (@bbotezatu) November 15, 2018
Botezatu says Bitdefender regularly updates its decryption tool. "We isolate corner cases, fix them and update the tool several times a week, improving decryption and making the new tool again available for the rest of the victims," he says. "This centralized approach also allows us to be more effective."
GandCrab Version 5.0.5 Appears
Such updates are required because the GandCrab gang regularly updates its tools to try and evade defenses and countermeasures. For example, after Bitdefender released its latest free decryptor on Oct. 25, just 12 hours later, Boczan says he began seeing a version 5.0.5 of GandCrab, which the decryptor couldn't crack.
Well that was quick. There is a new #GandCrab version 5.0.5 that breaks the Europol/Bitdefender decryptor.— Tamas Boczan (@tamas_boczan) October 26, 2018
Sandbox report: https://t.co/BefwhHF0Jb
Sample: https://t.co/CEJLiozYCv pic.twitter.com/iC5R4Qa09j
So far, however, that version only appears to have been uploaded to VirusTotal, meaning it may still be a beta version being developed by the GandCrab gang to test forthcoming features, Valthek says.
He reports that 5.0.4 appears to be the only version being distributed, based on the copies he's seen in the wild, which sport that version number as well as code-compilation dates of Oct. 26, Oct. 29 and Nov. 7.
"I guess they will update to 6 in a rewrite soon, but 100 percent I can't say [for sure]," he says.
Poor Code Quality Helps Crack GandCrab
Thankfully for many victims, security researchers say GandCrab's code quality isn't great. Valthek says that poor code quality is the reason he's also been able to develop and release vaccines for GandCrab, which McAfee says work as intended. Such vaccines can prevent PC users from becoming infected with a particular strain of ransomware or having their files get forcibly encrypted, provided they install the vaccine before being infected.
Valthek's free decryptor follows the free Bitdefender decryptor for many versions of GandCrab being released last month via the No More Ransom project (see Fresh GandCrab Decryptor Frees Data for Free).
That decryptor was developed by the Romanian Police, who worked with their counterparts in Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom and United States, together with Bitdefender and the EU's law enforcement intelligence agency, Europol.
Affiliates at Work
"The rapid spread of GandCrab has been helped along by a ransomware-as-a-service scheme, which offers on the dark web to wannabee criminals with little to no technical expertise a toolkit for launching quick and easy malware attacks, in exchange for a 30 percent cut from each ransom payment," Europol says.
Affiliates set their demanded ransom amount. They're provided with a customized version of GandCrab that automatically remits a fixed percentage to the development team, and the rest to the affiliate.
GandCrab ransoms are payable in either bitcoin or dash (see Crabby Ransomware Nests in Compromised Websites). But victims that wish to pay in bitcoin have to pay a 10 percent premium to the U.S. dollar equivalent of dash, says Bill Siegel, CEO of cyber incident response firm Coveware. "GandCrab affiliates wash their ransom proceeds through bitcoin mixing services to disguise the flow of funds," he tells me. "These mixers charge a processing fee that the affiliates pass on to the victim, hence the additional 10 percent if a victim chooses to pay in bitcoin, versus dash."
Boczan reported that the No More Ransom - aka Bitdefender - decryptor appeared to work well with GandCrab versions 5.0 to 5.0.2.
But some researchers have reported that the tool doesn't always appear to work reliably with 5.0.3. Valthek says that drove him to release his decryptor. Again, however, for it to work properly, a victim would need to obtain the private RSA key used to encrypt their files.
I can confirm that the decryptor works against #GandCrab 5.0.3... Mostly.— Tamas Boczan (@tamas_boczan) October 25, 2018
When scanning a single folder it fails. When running it on the entire filesystem it throws a warning that some files could not be decrypted, but I think everything was decrypted successfully in that case. pic.twitter.com/mTWJqthm9s
On Nov. 2, however, Bitdefender's Botezatu reported: "GandCrab 5.0.5 and some subversions of GandCrab 5.0.4 cannot be currently decrypted. Hang on, help is coming, it just takes a while."
Affiliates Choose Their Own Distribution Tactics
Affiliates who sign up to the GandCrab program distribute the malware in a variety of ways, including phishing emails and via the RIG exploit kit, although that's been changing.
"They were using mostly email and sometimes exploit kits, but now RDP is somehow more trendy inside the underground forums," VMRay's Boczan says, referring to using remote desktop protocol to gain remote access to an organization's network (see How Much Is That RDP Credential in the Window?).
Earlier this year, GandCrab held a contest to decide which cypter service it should partner with, to repackage its attack code and make it easier to spot. The NTCrypt malware cryptor service won, and is now offered as an optional add-on to all GandCrab affiliates, with prices starting at $100 per encryption, or $350 per week.
GandCrab Targeted Zero-Day
Boczan says one unusual aspect to GandCrab is that its developer - or developers - were able to target a zero-day flaw. "Ransomware developers and malware developers in general are not hackers, they like to think that they are hackers, but they are actually software developers, and they're not usually too able to find an exploit by themselves," he tells me.
In this case, the zero-day attack appeared to be in retaliation for South Korean cybersecurity vendor AhnLab releasing a vaccine for GandCrab:
- July 13: AhnLab releases vaccine for GandCrab;
- July 17: GandCrab issues new release that defeats the vaccine;
- July 18: AhnLab releases second version of vaccine for GandCrab;
- August 02: GandCrab issues new release that targets a flaw in AhnLab anti-virus software.
Any attempt by GandCrab's operators to damage AhnLab's reputation appears to have failed, Boczan says, noting that AhnLab quickly patched its software. In addition, AhnLab told Bleeping Computer that its anti-virus software was still detecting and blocking the version of GandCrab that was designed to exploit the flaw in its software.
Backup Plan: Save Cryptolocked Data
As the cat-and-mouse being played between GandCrab's developers and security researchers shows, in some cases, free decryptors can give victims a "get out of jail for free" card.
For anyone who does fall victim to ransomware and can't avail themselves of a free decryptor - or who does pay and doesn't get a working decryption key in return - all may not be lost. In such cases, be sure to keep a full backup of everything, including the ransom note, since security firms in the future may be able to build a decryptor, says Bitdefender's Botezatu via Twitter.
If you got hit by ransomware and there is no decryption tool available for it at the moment, BACKUP THE DATA + RANSOM NOTE. At some point we (or any player in the industry) will come up with one and you'll be able to get the data back. Do not delete it.— Bogdan Botezatu (@bbotezatu) November 9, 2018
In some past cases, ransomware gangs have published their master keys. In other cases, researchers have infiltrated malicious infrastructure or police have arrested developers, leading to the "good guys" recovering the master keys, enabling them to build more effective decryptors.
Meanwhile, law enforcement officials continue to urge individuals and organizations to never pay ransoms. Instead, they can defend against ransomware by preparing in advance. Top advice includes running up-to-date anti-virus software, as well as maintaining regular, offline backups of all systems. That way, any affected systems can be wiped and restored, and victims never need grapple with the ethically dubious option of paying their attacker for the promise of a decryption key.