GandCrab Ransomware Goes Agile

  /     /     /  
Publicated : 22/11/2024   Category : security


GandCrab Ransomware Goes Agile


GandCrab ransomwares developers have iterated the code rapidly, researchers found.



The relative quiet in ransomware attacks so far in 2018 may be a bit misleading, as ransomware developers have been busy and in some cases moving their craft forward with techniques used in enterprise software development.
According to researchers at Check Point, thats just what the creators of ransomware variant GandCrab are doing. GandCrab, a fairly recent entrant to the ransomware scene, infected over 50,000 victims and reaped more than $600,000 for attackers in the first two months of this year.
Thats a notable return to the criminals, but its not the most significant thing about GandCrab: The most interesting point, and what makes it different is that the way the ransomware is developed and maintained - the whole approach, says Michael Kajiloti, team leader of malware research at Check Point.
The way that its developed and maintained looks very much like the Agile development discipline used in many enterprise development shops today.
Rather than releasing malware that had been developed and tested for reliability before going public, Kajiloti says that GandCrabs developers released software with significant flaws - one made it easy to decrypt GandCrabs encrypted files without paying the ransom - but then rapidly iterated new versions to solve the problems and evade new techniques for detecting the malware.
Jon Clay, director of global threat communications at Trend Micro, says his firm has seen the same sort of behavior in their research of GandCrab. Theyre doing a number of iterations pretty quickly, he says, noting that, while frequent iteration isnt completely unheard of, it is unusual in the malware business.
Clay also says that the ransomwares developers have been improving more than just the encryption and decryption routines. They improved the persistence of the malware. Theyre being more rigorous in their attempts to keep the software on the system, he explains.
In the beginning, Crab was an under-engineered ransomware that managed to still be effective, according to Check Point. Now, Kajiloti says, Weve seen it evolve from simple and messed-up ransomware to something thats a real threat because its becoming harder and harder to find flaws. And in fixing those flaws, the malware writers acknowledge the help of researchers in finding errors and creating new defenses.
Ben Herzog, a malware researcher at Check Point, says, If you look through their [GandCrabs developers] logs they are full of the names of researchers so theyre in a constant dialogue with the people researching them. Theyll include the names of researchers in domain names as a way of honoring successful takedowns.
And, in Herzogs view, that dialogue is part of what makes the GandCrab developers different. Whats novel is the whole picture, he says. Weve seen them take less than a week to fix decryption flaws and proactively fix flaws that werent yet in the wild, so the guys have the capability to release a good product but they chose to go in this method.
A Criminal Network
One of the other unusual aspects of GandCrab is the way its delivered or, in this case, the
ways
in which its delivered. While they use mal-spam (spam email carrying a malware payload) there are two exploit kits where theyve added [GandCrab] as a dropper, Clay says. They also use a drive-by download campaign and a pirated software bundle that features this. There are four or five arrival vectors. Usually something will use one or two but not all of these in the same campaign.
A variety of distribution methods is an artifact of the financial model the developers have used, one based on the affiliate model seen in legitimate businesses. Kajiloti says the affiliate model isnt unique but has been successful. The authors themselves arent the only ones spreading the ransomware - they have affiliates who can buy the ransomware and spread it themselves, he says.
Law enforcement tends to go after the attackers, so the back office is less vulnerable. I think this group is using it both for profitability and to obfuscate their existence, says Clay.
New Old Defense?
Does this new ransomware mean that businesses should look to new defense methods? Check Point has stated that GandCrab is a fifth-generation attack: one that involves multi-vector attacks driving a need for threat prevention rather than simple threat detection. If youre asking what to do about ransomware, youre ahead of the game already. The game is played on the field of being blindsided, says Herzog.
Organizations need to continue to do what they need to. Layered security is important, says Clay, who points out that smaller organizations should be especially diligent. When they scan the system to encrypt, they look for removable drives, RAM drives, network drives - any and all drives attached to the system. In a small business, all systems tend to be attached to the central server and that could cause real problems, he explains.
Ultimately, its the effectiveness of protection, Clay says. Organizations need to protect themselves and have a very good layered protection plan in place. Block things at the source versus just focusing on the endpoint: thats the worst place to detect ransomware, he says.
Related Content:
A Secure Enterprise Starts with a Cyber-Aware Staff
Malware Cocktails Raise Attack Risk
What Happens When You Hold Robots for Ransom?
Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the
security track here
.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
GandCrab Ransomware Goes Agile