![]() The goal of GandCrab, as with other ransomware, is to encrypt all or many files on an infected system and insist on payment to unlock them. Botnets such as Phorpiex (an old botnet that spread not only this malware but many others).PowerShell scripts or within the memory of the PowerShell process (the later mainly in Version 5.0.2).Exploits kits such as RigEK and others such as FalloutEK.Trojanized legitimate programs containing the malware, or downloading and launching it.Phishing emails with links or attachments.Remote desktop connections with weak security or bought in underground forums.The following diagram shows an overview of GandCrab’s behavior. GandCrab Version 5 uses several mechanisms to infect systems. It is generating a strong influx of criminal interest and allows the GandCrab crew to form alliances with other essential services in the cybercriminal supply chain. For a criminal business such as GandCrab, building these alliances makes perfect sense: They increase the ease of operation and a trusted affiliate network minimizes their risk exposure by allowing them to avoid less-trusted suppliers and distributors.įor the security community it is worrisome to see that GandCrab’s aggressive marketing strategy seems to be paying off. This novel approach emphasizes once more the cult status GandCrab has in the underground community. NTCrypt applied and eventually won the competition. At the end of September, the GandCrab crew started a “crypt competition” on a popular underground forum to find a new crypter service they could partner with. The partnership between GandCrab and NTCrypt was established in a novel way. ![]() The NTCrypt-GandCrab partnership announcement offering a special price for GandCrab users. A crypter service provides malware obfuscation to evade antimalware security products. ![]() The malware crypter service NTCrypt announced that it is partnering with the GandCrab crew. With Version 5, yet another alliance with a criminal service has been formed. This alliance was again emphasized in the GandCrab Version 5 announcement, as the GandCrab crew openly endorsed FalloutEK. One of these alliances became obvious during Version 4, in which the ransomware started being distributed through the new Fallout exploit kit. The prospect of making money not only attracts new affiliates, but also leads to the formation of new alliances between GandCrab and other criminal services that strengthen the malware’s supply and distribution networks. The developers market the affiliate program like a “members-only club” and new affiliates are lining up to join, in the hope of making easy money through the large-scale ransomware extortion scheme. GandCrab ransomware has gained a lot of attention from security researchers as well as the underground. On September 27, the GandCrab crew announced Version 5 with the same showmanship as its earlier versions. The group behind GandCrab has achieved cult status in underground forums the authors are undoubtedly confident and have strong marketing skills, but flawless programming is not one of their strengths. Despite the agile approach of the developers, the coding is not professional and bugs usually remain in the malware (even in Version 5.0.2), but the speed of change is impressive and increases the difficulty of combating it. The GandCrab authors have moved quickly to improve the code and have added comments to provoke the security community, law enforcement agencies, and the NoMoreRansom organization. McAfee gateway and endpoint products are able to protect customers from known variants of this threat. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |