{"id":16959,"date":"2019-11-21T10:52:23","date_gmt":"2019-11-21T18:52:23","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/11\/21\/news-10696\/"},"modified":"2019-11-21T10:52:23","modified_gmt":"2019-11-21T18:52:23","slug":"news-10696","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/11\/21\/news-10696\/","title":{"rendered":"VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in depth"},"content":{"rendered":"<p>Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. Running as a Ransomware-as-a-Service scheme, the malware regularly updated itself to newer versions to stay ahead of decryptors released by security researchers.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"display: block; margin-left: auto; margin-right: auto;\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/c237ca212df4b3a5b6b59df15553ad0c_f4190.png\" alt=\"image015.png\" width=\"660\" height=\"372\" \/><span class=\"centered-caption\">High-level overview of the GandCrab RaaS model.<\/span><\/p>\n<p>In a paper presented at VB2019 in London, <em>McAfee<\/em> researchers John Fokker and Alexandre Mundo looked both at the malware code and its evolution, and the affiliate scheme behind it or, as they presented it: how GandCrab is cooked. Through affiliate IDs, they were able to track various actors using the scheme to infect users and organisations.<\/p>\n<p>Not included in the paper, but discussed in their presentation, was more recent research that links GandCrab to Sodinokibi, a ransomware family that appeared earlier this year. This research was published in a series of <em>McAfee<\/em> <a href=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/other-blogs\/mcafee-labs\/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us\/\" target=\"_blank\">blog posts<\/a> last month.<\/p>\n<p>Today we publish John and Alexandre&#8217;s paper in both <a title=\"VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in\u00a0depth\" href=\"https:\/\/www.virusbulletin.com\/virusbulletin\/2019\/11\/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth\/\">HTML<\/a> and <a href=\"https:\/\/www.virusbulletin.com\/uploads\/pdf\/magazine\/2019\/VB2019-Fokker-Mundo.pdf\" target=\"_blank\">PDF <\/a>format. We have also uploaded the video of thier VB2019 presentation to our <em>YouTube<\/em> channel.<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p style=\"text-align: center;\" width=\"100%\" height=\"420\"><iframe loading=\"lazy\" src=\"https:\/\/www.youtube.com\/embed\/mC4raVTmBEY\" frameborder=\"0\" width=\"100%\" height=\"420\" style=\"\"> <\/iframe><\/p>\n<p>\u00a0<\/p>\n<p>outertext<br \/><a href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/11\/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-depth\/\" target=\"bwo\" >https:\/\/www.virusbulletin.com\/rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/www.virusbulletin.com\/files\/cache\/c237ca212df4b3a5b6b59df15553ad0c_f4190.png\"\/><br \/>                                 Though active for not much longer than a year, GandCrab had been one of the most successful ransomware operations. In a paper presented at VB2019 in London, McAfee researchers John Fokker and Alexandre Mundo looked at the malware code, its evolution and the affiliate scheme behind it. Today we publish both their paper and the recording of their presentation.                <\/p>\n<p>                 <a href=\"https:\/\/www.virusbulletin.com\/blog\/2019\/11\/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-depth\/\">Read more<\/a>                                <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[23177,10378,23176],"tags":[],"class_list":["post-16959","post","type-post","status-publish","format-standard","hentry","category-magazine","category-security","category-virusbulletin"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=16959"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/16959\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=16959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=16959"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=16959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}