Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

GandCrab Ransomware Goes 'Agile'

GandCrab ransomware's developers have iterated the code rapidly, researchers found.

The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.

According to researchers at Check Point, that's just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.

That's a notable return to the criminals, but it's not the most significant thing about GandCrab: "The most interesting point, and what makes it different is that the way the ransomware is developed and maintained - the whole approach," says Michael Kajiloti, team leader of malware research at Check Point.

The way that it's developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.

Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrab's developers released software with significant flaws - one made it easy to decrypt GandCrab's encrypted files without paying the ransom - but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.

Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. "They're doing a number of iterations pretty quickly," he says, noting that, while frequent iteration isn't completely unheard of, it is unusual in the malware business.

Clay also says that the ransomware's developers have been improving more than just the encryption and decryption routines. "They improved the persistence of the malware. They're being more rigorous in their attempts to keep the software on the system," he explains.

In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, "We've seen it evolve from simple and messed-up ransomware to something that's a real threat because it's becoming harder and harder to find flaws." And in fixing those flaws, the malware writers acknowledge the "help" of researchers in finding errors and creating new defenses.

Ben Herzog, a malware researcher at Check Point, says, "If you look through their [GandCrab's developers] logs they are full of the names of researchers so they're in a constant dialogue with the people researching them. They'll include the names of researchers in domain names as a way of 'honoring' successful takedowns."

And, in Herzog's view, that dialogue is part of what makes the GandCrab developers different. "What's novel is the whole picture," he says. "We've seen them take less than a week to fix decryption flaws and proactively fix flaws that weren't yet in the wild, so the guys have the capability to release a good product but they chose to go in this method."

A Criminal Network

One of the other unusual aspects of GandCrab is the way it's delivered or, in this case, the ways in which it's delivered. "While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where they've added [GandCrab] as a dropper," Clay says. "They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign."

A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isn't unique but has been successful. "The authors themselves aren't the only ones spreading the ransomware - they have affiliates who can buy the ransomware and spread it themselves," he says.

"Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence," says Clay.

New Old Defense?

Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. "If you're asking what to do about ransomware, you're ahead of the game already. The game is played on the field of being blindsided," says Herzog.

"Organizations need to continue to do what they need to. Layered security is important," says Clay, who points out that smaller organizations should be especially diligent. "When they scan the system to encrypt, they look for removable drives, RAM drives, network drives - any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems," he explains.

Ultimately, it's the effectiveness of protection, Clay says. "Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: that's the worst place to detect ransomware," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Analyst at Omdia, focusing on enterprise security management. Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22168
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22169
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22170
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22171
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22172
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.