GandCrab, once known as a consumer-targeting ransomware, is increasingly being used in attacks against business organizations
2018 was dominated by two strains of malware: GandCrab for consumers and SamSam for businesses. Both were hugely successful for the hackers — GandCrab for its continuous development and relatively low cost; and SamSam because of its developers’ ability to infiltrate and cripple large networks.
Since the end of 2018, with the U.S. indictment of two Iranian citizens for their involvement with SamSam, it has all but disappeared. The business model of infecting larger organizations for a larger payout remains attractive — and GandCrab is beginning to be used by other actors against business. Now Cybereason has detected a new example, with a new evasive infection chain, with GandCrab targeting an unnamed Japanese manufacturing business.
The Norsk Hydro incident in March 2019 demonstrates how effective a successful ransomware attack against manufacturing can be. Although it did not penetrate the OT side of Norsk’s systems, it still shut down plants by disrupting the means of controlling them. The incident has cost the firm approximately $52 million. The cost will be much higher if the ransomware penetrates the OT side of the corporate network — as WannaCry did at Taiwan chip manufacturer TSMC. WannaCry cost TSMC an estimated $250 million.
Criminals bank on manufacturers’ willingness to pay perhaps a few hundred thousand dollars rather than face costs of millions of dollars — as Jackson County, Georgia, did when infected by the Ryuk ransomware.
GandCrab is ransomware-as-a-service. As soon as security firms develop a decryptor, the developers produce a new version. At the time of the attack against the Japanese firm, there is no way to recover GandCrab encrypted files without paying the ransom (or recovering from backups).
This new attack starts with a poisoned Korean Office document. The poison is an embedded and obfuscated macro that is triggered by GotFocus. A multi-stage downloader is decrypted resulting a WMI object that spawns a cmd.exe instance with more commands. It produces an INF configuration file that uses a variation of the Squiblydoo technique (using cmstp.exe) to bypass Windows AppLocker.
cmstp.exe connects to pastebin.com to download a secondary payload — a scriptlet containing obfuscated JavaScript code that contains GandCrab. This is decrypted and dropped at runtime.
“The [pastebin] URL and the page content seem to be undetected by antivirus vendors on VirusTotal,” say the researchers, suggesting that detection of this attack requires behavioral analysis rather than signature detection. The ransom note produced by a successful attack states that the malware is GandCrab version 5.2. Decryptors are currently available only for versions 1, 4 and 5 up to 5.1.
The relatively new use of GandCrab against business is not an indication of a change of policy from the developers. Since leasing the ransomware is a service they offer, it is still available to the less skilled hackers who use spray and pray delivery against consumers.
“Also, since GandCrab is a RaaS model, the threat actors who ‘lease’ the service, can target whomever they want. So, it’s difficult to assign collective intention/trend, since we are talking about an unknown number of potential threat actors,” Assaf Dahan, Cybereason’s senior director, head of threat research, told SecurityWeek. However, its growing adoption by more skilled hackers is a new threat to business.
“There have been many large enterprises and recognizable corporate brands hit by ransomware in the past year, some in the manufacturing industry,” continued Dahan. “In general, the threat actors are carrying out more targeted campaigns against many companies across a wide spectrum of industries. A persistent, motivated hacker will eventually succeed in breaking through a corporate defense, making it critical for enterprises to be able to respond quickly, to turn back the threat. Any significant latency in the time of breach and response leads to trouble.”
Related: SamSam and GandCrab Illustrate Evolution of Ransomware
Related: GandCrab: The New King of Ransomware?
Related: GandCrab Ransomware Spreads Via NSA Exploit
Related: Malware Activity Slows, But Attacks More Sophisticated: Report