Attacks/Breaches

3/21/2018
08:10 PM
50%
50%

GandCrab Ransomware Goes 'Agile'

GandCrab ransomware's developers have iterated the code rapidly, researchers found.

The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.

According to researchers at Check Point, that's just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.

That's a notable return to the criminals, but it's not the most significant thing about GandCrab: "The most interesting point, and what makes it different is that the way the ransomware is developed and maintained - the whole approach," says Michael Kajiloti, team leader of malware research at Check Point.

The way that it's developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.

Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrab's developers released software with significant flaws - one made it easy to decrypt GandCrab's encrypted files without paying the ransom - but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.

Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. "They're doing a number of iterations pretty quickly," he says, noting that, while frequent iteration isn't completely unheard of, it is unusual in the malware business.

Clay also says that the ransomware's developers have been improving more than just the encryption and decryption routines. "They improved the persistence of the malware. They're being more rigorous in their attempts to keep the software on the system," he explains.

In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, "We've seen it evolve from simple and messed-up ransomware to something that's a real threat because it's becoming harder and harder to find flaws." And in fixing those flaws, the malware writers acknowledge the "help" of researchers in finding errors and creating new defenses.

Ben Herzog, a malware researcher at Check Point, says, "If you look through their [GandCrab's developers] logs they are full of the names of researchers so they're in a constant dialogue with the people researching them. They'll include the names of researchers in domain names as a way of 'honoring' successful takedowns."

And, in Herzog's view, that dialogue is part of what makes the GandCrab developers different. "What's novel is the whole picture," he says. "We've seen them take less than a week to fix decryption flaws and proactively fix flaws that weren't yet in the wild, so the guys have the capability to release a good product but they chose to go in this method."

A Criminal Network

One of the other unusual aspects of GandCrab is the way it's delivered or, in this case, the ways in which it's delivered. "While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where they've added [GandCrab] as a dropper," Clay says. "They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign."

A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isn't unique but has been successful. "The authors themselves aren't the only ones spreading the ransomware - they have affiliates who can buy the ransomware and spread it themselves," he says.

"Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence," says Clay.

New Old Defense?

Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. "If you're asking what to do about ransomware, you're ahead of the game already. The game is played on the field of being blindsided," says Herzog.

"Organizations need to continue to do what they need to. Layered security is important," says Clay, who points out that smaller organizations should be especially diligent. "When they scan the system to encrypt, they look for removable drives, RAM drives, network drives - any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems," he explains.

Ultimately, it's the effectiveness of protection, Clay says. "Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: that's the worst place to detect ransomware," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
The Morris Worm Turns 30
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/9/2018
Veterans Find New Roles in Enterprise Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/12/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12174
PUBLISHED: 2018-11-14
Heap overflow in Intel Trace Analyzer 2018 in Intel Parallel Studio XE 2018 Update 3 may allow an authenticated user to potentially escalate privileges via local access.
CVE-2018-3621
PUBLISHED: 2018-11-14
Insufficient input validation in the Intel Driver & Support Assistant before 3.6.0.4 may allow an unauthenticated user to potentially enable information disclosure via adjacent access.
CVE-2018-3635
PUBLISHED: 2018-11-14
Insufficient input validation in installer in Intel Rapid Store Technology (RST) before version 16.7 may allow an unprivileged user to potentially elevate privileges or cause an installer denial of service via local access.
CVE-2018-3696
PUBLISHED: 2018-11-14
Authentication bypass in the Intel RAID Web Console 3 for Windows before 4.186 may allow an unprivileged user to potentially gain administrative privileges via local access.
CVE-2018-3697
PUBLISHED: 2018-11-14
Improper directory permissions in the installer for the Intel Media Server Studio may allow unprivileged users to potentially enable an escalation of privilege via local access.