GandCrab Ransomware Goes 'Agile'GandCrab ransomware's developers have iterated the code rapidly, researchers found.
The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.
According to researchers at Check Point, that's just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.
That's a notable return to the criminals, but it's not the most significant thing about GandCrab: "The most interesting point, and what makes it different is that the way the ransomware is developed and maintained - the whole approach," says Michael Kajiloti, team leader of malware research at Check Point.
The way that it's developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.
Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrab's developers released software with significant flaws - one made it easy to decrypt GandCrab's encrypted files without paying the ransom - but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.
Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. "They're doing a number of iterations pretty quickly," he says, noting that, while frequent iteration isn't completely unheard of, it is unusual in the malware business.
Clay also says that the ransomware's developers have been improving more than just the encryption and decryption routines. "They improved the persistence of the malware. They're being more rigorous in their attempts to keep the software on the system," he explains.
In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, "We've seen it evolve from simple and messed-up ransomware to something that's a real threat because it's becoming harder and harder to find flaws." And in fixing those flaws, the malware writers acknowledge the "help" of researchers in finding errors and creating new defenses.
Ben Herzog, a malware researcher at Check Point, says, "If you look through their [GandCrab's developers] logs they are full of the names of researchers so they're in a constant dialogue with the people researching them. They'll include the names of researchers in domain names as a way of 'honoring' successful takedowns."
And, in Herzog's view, that dialogue is part of what makes the GandCrab developers different. "What's novel is the whole picture," he says. "We've seen them take less than a week to fix decryption flaws and proactively fix flaws that weren't yet in the wild, so the guys have the capability to release a good product but they chose to go in this method."
A Criminal Network
One of the other unusual aspects of GandCrab is the way it's delivered or, in this case, the ways in which it's delivered. "While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where they've added [GandCrab] as a dropper," Clay says. "They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign."
A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isn't unique but has been successful. "The authors themselves aren't the only ones spreading the ransomware - they have affiliates who can buy the ransomware and spread it themselves," he says.
"Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence," says Clay.
New Old Defense?
Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. "If you're asking what to do about ransomware, you're ahead of the game already. The game is played on the field of being blindsided," says Herzog.
"Organizations need to continue to do what they need to. Layered security is important," says Clay, who points out that smaller organizations should be especially diligent. "When they scan the system to encrypt, they look for removable drives, RAM drives, network drives - any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems," he explains.
Ultimately, it's the effectiveness of protection, Clay says. "Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: that's the worst place to detect ransomware," he says.
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio