Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

GandCrab Ransomware Detected Targeting Manufacturing Firm

GandCrab, once known as a consumer-targeting ransomware, is increasingly being used in attacks against business organizations

GandCrab, once known as a consumer-targeting ransomware, is increasingly being used in attacks against business organizations

2018 was dominated by two strains of malware: GandCrab for consumers and SamSam for businesses. Both were hugely successful for the hackers — GandCrab for its continuous development and relatively low cost; and SamSam because of its developers’ ability to infiltrate and cripple large networks.

Since the end of 2018, with the U.S. indictment of two Iranian citizens for their involvement with SamSam, it has all but disappeared. The business model of infecting larger organizations for a larger payout remains attractive — and GandCrab is beginning to be used by other actors against business. Now Cybereason has detected a new example, with a new evasive infection chain, with GandCrab targeting an unnamed Japanese manufacturing business.

The Norsk Hydro incident in March 2019 demonstrates how effective a successful ransomware attack against manufacturing can be. Although it did not penetrate the OT side of Norsk’s systems, it still shut down plants by disrupting the means of controlling them. The incident has cost the firm approximately $52 million. The cost will be much higher if the ransomware penetrates the OT side of the corporate network — as WannaCry did at Taiwan chip manufacturer TSMC. WannaCry cost TSMC an estimated $250 million.

Criminals bank on manufacturers’ willingness to pay perhaps a few hundred thousand dollars rather than face costs of millions of dollars — as Jackson County, Georgia, did when infected by the Ryuk ransomware.

GandCrab is ransomware-as-a-service. As soon as security firms develop a decryptor, the developers produce a new version. At the time of the attack against the Japanese firm, there is no way to recover GandCrab encrypted files without paying the ransom (or recovering from backups).

This new attack starts with a poisoned Korean Office document. The poison is an embedded and obfuscated macro that is triggered by GotFocus. A multi-stage downloader is decrypted resulting a WMI object that spawns a cmd.exe instance with more commands. It produces an INF configuration file that uses a variation of the Squiblydoo technique (using cmstp.exe) to bypass Windows AppLocker.

cmstp.exe connects to pastebin.com to download a secondary payload — a scriptlet containing obfuscated JavaScript code that contains GandCrab. This is decrypted and dropped at runtime.

Advertisement. Scroll to continue reading.

“The [pastebin] URL and the page content seem to be undetected by antivirus vendors on VirusTotal,” say the researchers, suggesting that detection of this attack requires behavioral analysis rather than signature detection. The ransom note produced by a successful attack states that the malware is GandCrab version 5.2. Decryptors are currently available only for versions 1, 4 and 5 up to 5.1.

The relatively new use of GandCrab against business is not an indication of a change of policy from the developers. Since leasing the ransomware is a service they offer, it is still available to the less skilled hackers who use spray and pray delivery against consumers. 

“Also, since GandCrab is a RaaS model, the threat actors who ‘lease’ the service, can target whomever they want. So, it’s difficult to assign collective intention/trend, since we are talking about an unknown number of potential threat actors,” Assaf Dahan, Cybereason’s senior director, head of threat research, told SecurityWeek. However, its growing adoption by more skilled hackers is a new threat to business.

“There have been many large enterprises and recognizable corporate brands hit by ransomware in the past year, some in the manufacturing industry,” continued Dahan. “In general, the threat actors are carrying out more targeted campaigns against many companies across a wide spectrum of industries. A persistent, motivated hacker will eventually succeed in breaking through a corporate defense, making it critical for enterprises to be able to respond quickly, to turn back the threat. Any significant latency in the time of breach and response leads to trouble.”

Related: SamSam and GandCrab Illustrate Evolution of Ransomware 

Related: GandCrab: The New King of Ransomware? 

Related: GandCrab Ransomware Spreads Via NSA Exploit 

Related: Malware Activity Slows, But Attacks More Sophisticated: Report

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.