Staying King Krab: GandCrab Malware Keeps a Step Ahead of Network Defenses
GandCrab ransomware is being rapidly developed to evade the cyber security community’s defense efforts, aid proliferation, and secure revenue for those driving the malware. Cofense Intelligence TM has identified a new campaign that is delivering GandCrab version 4.4, the newest iteration of this prolific ransomware. The developers of GandCrab are aware of the research analysis done on its past versions, and release new versions rapidly to negate the solutions. These malicious developers also release versions in direct correlation to specific security companies’ findings. In the last two months, the authors of GandCrab have released version 4, and subsequent 4.x releases to improve the ransomware’s capabilities.
The email-borne campaign bearing GandCrab v4.4 (analyzed by Cofense Intelligence) did not follow the usual trends of being delivered via Microsoft Office Macro attachment. The lures employed during these previous campaigns were typically enticing recipients to download an infected resume or subpoena. The emails were written in German and had an attached .zip archive that contained an executable sample of GandCrab v4.4. The email body follows previous campaign narratives and is depicted in Figures 1 & 2.
Figure 1: The email body written in German.
Figure 2: The email body translated to English.
Once executed, the GandCrab sample will then collect information about the machine and determine if it is a viable candidate for encryption. If the machine has been deemed acceptable, files that meet specific criteria are then encrypted. After encryption, GandCrab then drops the ransom note in each directory via a .txt file. Figure 3 is a ransom note example.
Figure 3: A GandCrab ransom note example.
The fourth version of GandCrab was released in July, only six months after the first sighting of GandCrab in the wild. This latest version is a drastic change from its predecessors. Focusing on speed of encryption, this version switches from using RSA-2048 to the Salsa20 encryption algorithm. Prior to the fourth version of GandCrab the sample would need to successfully check in with its Command and Control (C2) structure before beginning the encryption process. Figure 4 documents strings found in GandCrab. referencing the developer of the Salsa20 algorithm.
Figure 4: The creator of Salsa20 algorithm is shown in the memory strings.
Versions 4 and 4.1 saw the introduction of a mechanism designed to prevent GandCrab running on undesirable machines. These specific versions would create a hex string .lock file based on specific information being present on the machine and place it in the C:\ProgramData directory. The .lock file would be queried and, if it found the binary, would terminate itself without encrypting the endpoint. Another GandCrab kill-switch is triggered when the sample looks at the language packs installed on the machine. If GandCrab finds a Russian language pack or former Soviet Union language packs, it will terminate itself without encrypting the endpoint.
Another upgrade that came with versions 4 and 4.1 was the ability to encrypt file shares and attached devices. This is done through interaction with the System Volume Manager to detect these resources. This is a big update in weaponry because it gives this ransomware the ability to engulf a network with encrypted files. This version’s ability to encrypt file shares puts a greater emphasis on the mitigation and response techniques needed within a network. The encrypted files also get a new extension and are then appended with .KRAB, as well as the ransom notes being renamed to KRAB-DECRYPT.txt. Figure 5 shows the encrypted file system, as well as the ransom note placed on the Desktop.
Figure 5: The GandCrab ransom note placement and the .KRAB extensions.
GandCrab v4.1 had also shown new network traffic not previously seen with the older versions. This version will use a custom Domain Generation Algorithm (DGA) to create URLs and POST the information collected from the machine to the DGA created URL. These POSTs are not to a GandCrab C2 infrastructure, rather they are legitimate domains. However, some researchers have theorized that these POSTs might be the Proof-of-Concept (PoC) for a future feature yet to be fully utilized. Other researchers believe that these POSTs are meant to fill the network with false positive C2s. Figure 6 shows the multiple POSTs to DGA created URLs.
Figure 6: The network POSTs to the DGA created URLs.
Version 4.1.2 was created out of necessity because of the work done by AhnLab, Inc. and their vaccine software. AhnLab found that the .lock file could be impersonated and placed on the machine beforehand. By doing this, the GandCrab sample would find the .lock file and terminate itself, thus preventing it from successfully encrypting the machine. The vaccine provided by AhnLab was negated within four days by the ransomware developers by utilizing the Salsa20 encryption algorithm to create the .lock file. Less than one day later, AhnLab provided v2.0 of the vaccine. Two days later, a new variant of GandCrab was spotted which checked for a mutex instead. GandCrab v4.1.2 also added anti-sandbox techniques, such as checking the allocated memory and registry for indicators of a virtual environment.
The updated version 4.1.2 became the basis for v4.2+ and brought about a PoC weapon aimed at AhnLab. This PoC is source code that claims it can cause a Denial of Service (DoS) attack on the AhnLab anti-virus solution used on endpoints. The PoC claims that this can cause a Blue Screen of Death (BSOD) on the targeted system. GandCrab’s anti-sandbox techniques, as discussed above, were also removed in v4.2.1. Figure 7 shows the link to the PoC within the running memory.
Figure 7: The BSOD PoC link in the memory strings.
Version 4.3 was simply a re-compile and re-organization of the code as well as adding anti-disassembly techniques. Version 4.4, the latest version, was built upon previous versions with a few new features of its own. The latest version comes with a stealth mode which, when enabled, queries the information gathered. It then determines if any processes on the endpoint need to be terminated before GandCrab starts its infection. Most of the processes targeted for termination are anti-virus products and those which may hold handles to important files (such as database files) which GandCrab intends to encrypt. This allows for the sample to have a non-disruptive and stealth-like file encryption process. The latest version also comes with a self-kill switch. This version can create the .lock file and place it in the %ProgramData% directory before infection as a nod to AhnLab’s vaccine. If the .lock file is found, the sample then sleeps in the background indefinitely. Figure 8 shows the stealth mode strings in memory.
Figure 8: Stealth mode in the memory strings.
What You Can Do
As with any ransomware, especially GandCrab v4.4, you need to have the proper mitigation in place in case an endpoint on the network becomes encrypted. Proper mitigation involves having up-to-date software from the manufacturer; network segmentation from resources that are considered critical; re-occurring and tested backups of all business-critical data; an email security stack that can sanitize emails as they arrive to the end user; and a response plan that has been practiced and refined. Having these things in place can help you withstand a ransomware incident.
GandCrab blasted onto the scene in early 2018, and since then has made great strides in staying relevant in the shifting landscape. The latest rendition employs tactics, like offline encryption, that had not yet been seen by prior iterations. GandCrab v4 has been able to change and adapt to the mitigation tactics of the cyber security community within the span of two months. The developers of GandCrab have been able to quickly evolve their malware based on anti-virus research analysis, which allows for more effective and lasting infections for the ransomware operators. This rapid development cycle of ransomware is a new trend that could likely lead to more malware developers taking research analysis as constructive criticism, then making their samples more robust in the future.
To stay abreast of developments in malware and phishing attacks, sign up for free Cofense Threat Alerts.
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.