On January the 28th, a new threat was added to the black market section of a notorious Russian Cyber Crime Forum. The post introduced a new type of ransomware, dubbed GandCrab. The post presented the ransomware as a “partnerka” (affiliation program) where the developer picks its “partners”, and they cut divide the profits of each ransom in 20/40% between them. For the big distributors, there is even a discount: 70/30%. The offered affiliation program was a success, and as to the time of writing, only one vacant place left in the program. From this period, multiple infections were detected, practiculary in South-Korea, and a few in Cyprus.
The main incentive behind most darknet activities is money, so it is no surprise that business schemes such as this have emerged. But the ease of use, and recent prevalence of the phenomenon known as Ransomware-as-a-Service (RaaS), is rising, and GandCrab is another milestone in this trend.
The malware itself is a traditional ransomware that encrypts the victim’s files in the hard drive,
and displays a ransom note that directs them to a payment page, that also contains a decryptor.
Nevertheless, GandCrab also presents some noteworthy aspects.
First, it demands the ransom in DASH (formerly known as Darkcoin and XCoin) cryptocurrency.
Recently, we noticed a shift of ransomware from bitcoin to more secure and decentralized coins, mainly Monero, but this is the first ransomware that demands it’s ransome in DASH (See Figure 2).
Second, GandCrab has numeros attack vectors. It can spread through, two already familiar, exploit kits: RIG EK and GrandSoft EK. GrandSoft is a particularly old EK (surfaced 2013) that was considered extinct, but was resurfaced now. RIG EK is also a veteran EK that uses known exploits to infiltrate the victims’ machines.
Two more ways of infection are through the Necurs malware that spreads via spam Emails (See Figure 3), and via the EITest campaign and the assortment of malicious tools associated with it. All of the infection methods mentioned above, are for familiar vulnerabilities that already have released patches - thus emphasizing the importance of patching systems, regardless of the threat’s oldness.
Additionally, the tooling reveals that threat actors are using old and familiar tools in order to cut costs and development time, thus offering fast solutions to the ever growing demand for RaaS. Whilst recycled malware is used to distribute the ransomware, attackers invest their time in building web applets and management consoles for the novice darknet member, thus lowering the bar for computer knowledge, required to use and manage the whole ransom operation.
Moreover, we can see how hackers becoming resellers as they sell different variants of already used malware to customers without technical background, while saving better, more advanced developments, for their own sinister objectives.
Third, the malware refers its victims to a TOR based site, probably for further obfuscation of its origin.
However, for the regular user who doesn’t know how to access the darknet through TOR, they also supply clearweb mirrors for payments. (see Figure 4).
Since the first publication, the developer of the GandCrab was attentive to the reaction of the security Community. They seem to like the attention, as it serves their purpose to publish the offer. (See Figure 5)
At the same time, since the publication, they also keep enhancing and improving the software, as any software vendor would do. The improvements derive from customers (or “partners”) feedbacks, but also in order to avoid detection by the different security products that “caught his scent”. (See figure 6-7)
RaaS model provides threat actors with a power multiplier in revenue making. Therefore, its seems that this trend will continue in the upcoming year, making the malware development and service provisions a growing business. Which, alas, will enhance the creation of accessible to the masses ransomware.