{"id":15848,"date":"2019-07-19T11:45:32","date_gmt":"2019-07-19T19:45:32","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9593\/"},"modified":"2019-07-19T11:45:32","modified_gmt":"2019-07-19T19:45:32","slug":"news-9593","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/07\/19\/news-9593\/","title":{"rendered":"GandCrab Threat Actors Retire&#8230;Maybe"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In a surprising announcement two weeks ago, the threat group behind the malware operation GandCrab announced that they had shut down their operations. Until that point, GandCrab had been one of the most active malware campaigns of the past year, both in terms of distribution and rapid development. FortiGuard Labs has covered their progress in a <a href=\"https:\/\/www.fortinet.com\/blog\/search.html?q=gandcrab\">series of articles<\/a>, as well as in a <a href=\"https:\/\/fortiguard.com\/events\/2744\/avar2018-the-gandcrab-mentality\">presentation<\/a> at AVAR2018.<\/p>\n<p>In an announcement as novel and cavalier as the threat actors themselves \u2013 reflecting their public persona since they first surfaced \u2013 they have now made a grand exit by thanking their affiliates and detailing their earnings.<\/p>\n<p>They claim that their Ransom-as-a-Service (RaaS) operation had a total of $2 billion in earnings. In a pay scheme of 60%-40% (70%-30% in some cases), giving the larger percentage of the payments to their affiliates, they claim that they personally earned $150 million from their operations.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image.img.png\" alt=\"GandCrab announces retirement\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: GandCrab announces retirement (image from twitter: @CryptoInsane)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Arrival on the Ransomware Scene<\/h2>\n<p>GandCrab first appeared on\u00a0<a href=\"https:\/\/exploit.in\/\">exploit.in<\/a>, a Russian hacking forum, on January 28, 2018, at a time when\u00a0file-encrypting malware distribution was seemingly declining. Despite this, GandCrab was able to make a significant impact, infecting more than 50,000 victims in just their first month of operation.<\/p>\n<p>They were also notable at the time because they were the first criminal organization to only accept DASH cryptocurrency as ransom payment, although they later decided to accept other cryptocurrencies. They also hosted their C2s using the .BIT TLD using a centralized DNS server (a.dnspod.com), which nominally claimed to mirror the namespace of Namecoin. While .BIT is commonly associated with the NameCoin organization for their decentralized DNS project, GandCrab\u2019s association with NameCoin was later <a href=\"https:\/\/www.namecoin.org\/2018\/01\/30\/recent-reports-ransomware-using-namecoin-missing-real-story.html\">debunked<\/a> by the organization.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image_17587956.img.png\" alt=\"GandCrab\u2019s advertisement post in the Russian forum exploit.in\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: GandCrab\u2019s advertisement post in the Russian forum exploit.in (image from twitter: @CryptoInsane)<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Aggressive Distribution<\/h2>\n<p>GandCrab\u2019s aggressive distribution network was built through its affiliate program and partnerships with other services, such as the binary crypter <a href=\"https:\/\/www.zdnet.com\/article\/gandcrab-ransomware-teams-up-with-crypter-service\/\">NTCrypt<\/a>, along with other <a href=\"https:\/\/www.zdnet.com\/article\/gandcrab-ransomware-teams-up-with-crypter-service\/\">actors<\/a> with expertise in distribution through RDP and VNC. At first, they only targeted western countries, primarily in Latin America. Later, they expanded to partnering with malware distributors in China and South Korea, with our detection of a <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/venuslocker-delivering-rotten-easter-eggs-in-south-korea.html\">spam campaign<\/a> delivering a GandCrab payload targeting South Korea as recently as last April.<\/p>\n<h2>An Unusual But Probably Effective Marketing Tactic<\/h2>\n<p>Due to the rapid development of GandCrab, FortiGuard Labs as well as other security researchers have been actively monitoring changes between releases. In addition to new features, these have also included public stunts through novelty messages that the threat actors embedded to their binaries as a way to taunt researchers and security organizations. This approach created noise, which may have made them arguably one of the most covered and talked about Ransomware families of the past year. This unusual strategy demonstrated an almost unprecedented level of criminal bravado, and even a sense of invincibility, since they were able to release public announcements that messed with the security community without any repercussions.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image_891934480.img.png\" alt=\"Messages embedded by threat actors to taunt researchers and organizations\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3: Messages embedded by threat actors to taunt researchers and organizations<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In another unusual marketing tactic, GandCrab actors also used reports from security companies to promote the success of their service, while mocking their adversaries.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image_867214446.img.png\" alt=\"GandCrab advertisement using reports from security companies as their signature\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4: GandCrab advertisement using reports from security companies as their signature<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Agile Development<\/h2>\n<p>Part of GandCrab\u2019s success was due to their use of an agile development approach that enabled rapid releases of new versions. This was best described in our article on the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/a-chronology-of-gandcrab-v4-x.html\">development of GandCrab v4.x<\/a>. A detailed discussion of the full timeline of GandCrab development can also be found in our AVAR2018: GandCrab Mentality <a href=\"https:\/\/fortiguard.com\/events\/2744\/avar2018-the-gandcrab-mentality\">presentation<\/a>.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image_1488607721.img.png\" alt=\"GandCrab v4.0-v4.4 timeline\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5: GandCrab v4.0-v4.4 timeline<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<h2>Bugs, Breaches, and GandCrab\u2019s Demise<\/h2>\n<p>Using this agile development approach enabled them to successfully evade detection by many security companies. A good example of this is when Ahnlab released a vaccine tool to prevent the malware from executing in a system by creating a file that the malware checked before performing its encryption routine. This started a tit-for-tat between the two, which even led to the threat actors disclosing a Denial-of-Service attack POC against one of Ahnlab\u2019s products. This was also discussed in our article on the GandCrab v4.x timeline.<\/p>\n<p>However, GandCrab was no exception to the drawbacks of using a fast-paced development approach, as bugs and loopholes began to be discovered in distributed versions. For instance, in the very early versions of the malware they were using hardcoded RC4 keys to encrypt their outbound traffic that also contained the private keys, which would have enabled to the decryption of the victim\u2019s ransomed files. Another simple but serious slip-up was when they failed to set a flag when generating their RSA keys. This led to a copy of the private key being stored locally on the victim\u2019s system. We also <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/gandcrab-v3-accidentally-locks-systems-with-new--change-wallpape.html\">discussed<\/a> a bug that we found when they first added the feature that changed the wallpaper of their victims. However, they quickly fixed these mistakes in the next release.<\/p>\n<p>But perhaps their biggest mishap \u2013 one that we believe led to their eventual demise \u2013 were breaches to their server-side infrastructure, which led to leaks of the private keys of victims. A month after their operation began, BitDefender, in collaboration with Europol, released <a href=\"https:\/\/www.europol.europa.eu\/newsroom\/news\/free-data-recovery-kit-for-victims-of-gandcrab-ransomware-now-available-no-more-ransom\">a free decryption tool<\/a> for victims of GandCrab v1. At the time, there was very limited information as to how they were able to do this \u2013 at least until the ransomware perpetrators themselves announced that their payment page has been compromised, which we suspect led to the creation of the decryption tool.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image_737295330.img.png\" alt=\"GandCrab posts about the breach to their payment page\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6: GandCrab posts about the breach to their payment page<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We believe that similar breaches eventually led to the subsequent release of the decryption tool used to decrypt files encrypted by new versions of the malware. In fact, just two weeks after GandCrab\u2019s retirement announcement, BitDefender released a new version of a <a href=\"https:\/\/labs.bitdefender.com\/2019\/06\/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind\/\">decryption tool<\/a> that supports the latest (v5.2) version of the malware.<\/p>\n<h2>Solution<\/h2>\n<p>FortiGuard customers are protected by the following:<\/p>\n<ul>\n<li>Latest versions of GandCrab are detected by our specific and heuristic detections<\/li>\n<li>FortiSandbox rates the GandCrab\u2019s behavior as high risk<\/li>\n<\/ul>\n<h2>Conclusion<\/h2>\n<p>GandCrab was a Ransomware-as-a-Service malware managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.<\/p>\n<p>However, through a recent forum post, the GandCrab team has now publicly announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, considering how witty and novel this threat group has been throughout the course of their campaign, it wouldn\u2019t be a surprise if this retirement announcement was just another of their many public stunts. If there\u2019s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another. In the meantime, FortiGuard Labs will continue to monitor for any new activities from this group.<\/p>\n<p>-= FortiGuard Lion Team =-<\/p>\n<p><i>Learn more about\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0and the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>.\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">Sign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/B46E-uLszco\/gandcrab-threat-actors-retire.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/content\/fortinet-blog\/us\/en\/threat-research\/gandcrab-threat-actors-retire\/_jcr_content\/root\/responsivegrid\/image.img.png\"\/><br \/>In a surprising announcement two weeks ago, the threat group behind the malware operation GandCrab announced that they had shut down their operations. Learn more about if they are actually retiring.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/B46E-uLszco&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-15848","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=15848"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/15848\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=15848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=15848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=15848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}