Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

GandCrab Ransomware Goes 'Agile'

GandCrab ransomware's developers have iterated the code rapidly, researchers found.

The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.

According to researchers at Check Point, that's just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.

That's a notable return to the criminals, but it's not the most significant thing about GandCrab: "The most interesting point, and what makes it different is that the way the ransomware is developed and maintained - the whole approach," says Michael Kajiloti, team leader of malware research at Check Point.

The way that it's developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.

Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrab's developers released software with significant flaws - one made it easy to decrypt GandCrab's encrypted files without paying the ransom - but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.

Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. "They're doing a number of iterations pretty quickly," he says, noting that, while frequent iteration isn't completely unheard of, it is unusual in the malware business.

Clay also says that the ransomware's developers have been improving more than just the encryption and decryption routines. "They improved the persistence of the malware. They're being more rigorous in their attempts to keep the software on the system," he explains.

In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, "We've seen it evolve from simple and messed-up ransomware to something that's a real threat because it's becoming harder and harder to find flaws." And in fixing those flaws, the malware writers acknowledge the "help" of researchers in finding errors and creating new defenses.

Ben Herzog, a malware researcher at Check Point, says, "If you look through their [GandCrab's developers] logs they are full of the names of researchers so they're in a constant dialogue with the people researching them. They'll include the names of researchers in domain names as a way of 'honoring' successful takedowns."

And, in Herzog's view, that dialogue is part of what makes the GandCrab developers different. "What's novel is the whole picture," he says. "We've seen them take less than a week to fix decryption flaws and proactively fix flaws that weren't yet in the wild, so the guys have the capability to release a good product but they chose to go in this method."

A Criminal Network

One of the other unusual aspects of GandCrab is the way it's delivered or, in this case, the ways in which it's delivered. "While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where they've added [GandCrab] as a dropper," Clay says. "They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign."

A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isn't unique but has been successful. "The authors themselves aren't the only ones spreading the ransomware - they have affiliates who can buy the ransomware and spread it themselves," he says.

"Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence," says Clay.

New Old Defense?

Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. "If you're asking what to do about ransomware, you're ahead of the game already. The game is played on the field of being blindsided," says Herzog.

"Organizations need to continue to do what they need to. Layered security is important," says Clay, who points out that smaller organizations should be especially diligent. "When they scan the system to encrypt, they look for removable drives, RAM drives, network drives - any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems," he explains.

Ultimately, it's the effectiveness of protection, Clay says. "Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: that's the worst place to detect ransomware," he says.

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24259
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24260
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
CVE-2021-24261
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
CVE-2021-24262
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
CVE-2021-24263
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...