SANS Webcast Recap: Dissecting GandCrab Ransomware

Nov 15th 2018

GandCrab is one of the most prevalent ransomware families in 2018. In this post—condensed from a SANS webcast that he participated in— VMRay Product Manager Rohan Viegas discusses the fundamental techniques GandCrab uses to encrypt user’s files and basic detection methods that can provide the first line of defense against attacks.

Since it first appeared in January 2018, GandCrab has won a loyal following with its ransomware-as-a-service (RaaS) model. RaaS makes it easy for “affiliates” to enter the lucrative field of extortion at a modest cost and with minimal effort, using ransomware designed by experienced malware authors. Even those with little technical expertise can launch an attack with just a few clicks. GandCrab provides the means to encrypt the target organization’s critical data files, demand ransom payments that escalate if the victim delays, and restore victims’ access to their data via a decryption key that is provided once payment is completed.

 

“Don’t Worry, I Have Backups”

SANS Analyst, Jake Williams, says many security teams underestimate their vulnerability to ransomware, believing that an effective backup strategy is adequate protection.  Not so, says Williams. “People assume their backups are perfect, but that’s seldom the case. Tapes and drives fail. People make mistakes. Unexpected things happen,” he says. “One of our clients discovered that while load-balancing their email server, all users whose last names began with E—including some Board members—had all their emails from the prior year deleted.”

 

 

But there’s a bigger problem. GandCrab disables the victim’s backup-and-restore capabilities by systematically deleting backup files and snapshots. This leaves the victim with few options but to pay the ransom.

 

To Pay or Not to Pay?

As a security company, VMRay’s position is to never pay a ransom. One reason is that there’s no guarantee an attacker will decrypt files after a ransom has been paid. However, Jake Williams says many organizations he has worked with decide to pay anyway, and most actually recover their files. “Our biggest factor in recommending whether to pay is the reputation of the ransomware author,” he explains. “Not all authors are good programmers. Some malware variants have critical logic errors. Even if the attacker wanted to help you decrypt, they may not be able to.”

 

 

Beyond the cost of paying a ransom—or losing files that can’t be decrypted—there are many other risks and costs associated with an attack. These may include:

  • Productivity losses across profit centers and among high-value contributors during the period that critical data is inaccessible.
  • Disruptions for overworked security teams, who need to set aside daily tasks and strategic projects to investigate the intrusion and manage data restoration.
  • The significant costs of closing long-ignored security gaps and fending off repeat ransomware attacks, which often occur within 60 to 90 days of the first intrusion.

In addition, a breach that compromises sensitive and/or regulated data may trigger legal liability, regulatory penalties, and contractual obligations. Adverse publicity can damage customer relationships. Attacks on government can erode public confidence, as happened when much of Atlanta’s municipal government lost access to its computer systems.

 

 

Given all these costs, Williams emphasizes the importance of preventing files from being encrypted in the first place. “With that goal in mind, it’s important to understand how a GandCrab attack unfolds and what measures you can take immediately to improve your defenses.”

 

Dissecting the GandCrab Kill Chain

With several software versions of GandCrab already in circulation by July 2018, the VMRay Research Team utilized VMRay Analyzer to map out the basic stages of an attack—which are common across all four versions—while also noting variations that are associated with v2, v3, and v4, respectively.  The stages and some of their components are summarized here.

Distribute the malware

At the time of this webcast in July 2018, Email attachments and URLs were the most common delivery methods used by GandCrab authors. Favored options for email include zipped JavaScript files, zipped JavaScript droppers and document files, such as PDFs and Word documents with embedded macros.

 

 

For URLs, there are multiple exploit kits that foster the spread of malware by the user doing nothing more than clicking on one infected link. However, this approach requires the user to have an unpatched version of a browser or Flash player. Otherwise, the attack won’t work.

Download the payload

The next step is to connect to the remote Command and Control server and download the malicious payload.  Older GandCrab versions relied on hardcoded URLs to make the connection, but these may be picked up by static detection tools, especially if the URL is blacklisted. In more recent GandCrab versions, dynamic creation of URLs enhances stealth and helps avoid detection, and some versions don’t connect to the C2 server at all.

 

 

Collect and send system details to the C&C server

The information gathered may relate to the user’s domain, IP address, processor name and architecture, anti-virus programs, keyboard layout, drives, and other details.

Prepare for encryption

Encryption starts by generating the necessary cryptographic keys and closing crucial processes that could prevent encryption from taking place (e.g. outlook.exe). GandCrab uses public-private key pairs to manage encryption and decryption. Unique cryptographic keys are generated for each victim. Gandcrab also closes processes that could affect its ability to encrypt important files. For example, if the WinWord process is open and has open handles to an important Word doc, the malware would not be able to encrypt this document.

 

 

Encrypt the files and remove shadow copies

Searching the relevant file shares and storage devices GandCrab encrypts the file types specified by the attacker.  Usually, these are Microsoft Office documents, PDF files, image and video files, and so on: anything that may be important to the victim. Shadow copies are then removed so the victim cannot restore the encrypted files from a recent backup or snapshot.

Send the ransom note. 

An indication that user’s files have been encrypted and won’t be released until the ransom is paid. (GandCrab currently accepts two forms of crypto-currency: bitcoin and DASH.) In some cases, the victim is given a chance to decrypt one or two files of their choosing, to confirm the attacker can complete the promised release of hostage files.

Throughout this multi-stage process, GandCrab incorporates many stealth features that are meant to thwart detection and incident response. For example, a sandbox-evasion technique called API hammering is designed to cause the sandbox analysis to time out before it spots malicious behavior. In earlier GandCrab implementations, the malware ensures persistence by adding itself to Autorun. If the victim suspects something is wrong and shuts down the system, the encryption process will resume when the system reboots.

 

Enhancing Protection: Get Started with Four Proven Detection Methods

For SOC teams that are newly focused on fighting the ransomware epidemic, Jake Willams suggests four malware detection methods that SOC teams can implement quickly and at very little cost, using commonly available tools and free instrumentation.

Alert on vssadmin.exe

GandCrab invokes vssadmin.exe to wipe clean Shadow Volume Copies and snapshots so the target organization can’t restore encrypted data from recent backups. This is one of the last preparation steps before the encryption process begins. Alerting on vssadmin.exe, especially when it is not on a schedule or not tied to a systems admin ID, may give you sufficient warning to interrupt an attack and minimize the damage.

Alert on Tor usage.

Most corporate networks rarely or never use the Tor network. In contrast, GandCrab may implement a Tor connection within the target environment to transmit encryption keys and facilitate ransom payments. Alerting on connections to TOR nodes allows you to quickly spot behavior that may be criminal in nature.

Look for excessive volumes of file writes

This may be a clue that files are being encrypted. Monitoring IOPS allows you to distinguish between what is customary activity–such as scheduled backups and batch operations–and what may be illicit.

Monitor critical database processes

Because GandCrab closes processes that might otherwise impede an attack, alerting on processes that die for no apparent reason can help flag potential ransomware activity. Williams notes that a vigilant client who saw a process go offline at the same time file writes were spiking decided within 30 minutes to shut down the database server, which proved to be under attack. He says, “Because of their quick action, they were able to save 75% of a huge database and, with help, restore the other 25%.”

 

To learn more about GandCrab, view the full webcast, “Dissecting a Ransomware Attack,” Or take a deep dive into VMRay’s research on The Evolution of GandCrab blog post.