GandCrab V5 Ransomware

Graphic for Tetra Defense Ransomware 101: GandCrab

What is GandCrab V5 Ransomware?

GandCrab is one of the most notorious ransomware releases in the last few years. GandCrab was seen first in January 2018. Security experts monitoring GandCrab observed multiple revisions and changes of attack methodology over the next 15 months.  Version 1 of GandCrab encrypted files with the .gdcb extension, versions 2 & 3 used .crab, version 4 used .krab, and version 5 used a randomly generated string of characters.

Estimates are that at least 500,000 people have been infected with GandCrab malware, with the malware authors claiming they earned over $2 billion from the outbreak. Many more people were likely infected, but the implied earnings given by the ransomware authors may also be false. Even so, this ransomware was flagged as severe by the FBI, Europol, and government security experts.

The author of GandCrab is unknown, but investigations have found strong links to Russian hacking groups. The malware writers operated an affiliate ‘business model’ where they essentially licensed the malware to swathes of hacking communities to spread and monetize the infection.

Ransoms ranged from $600 to $600,000. GandCrab ransomware pointed to the darknet, and the ransomware note was only accessible using the TOR browser. The payment was demanded in a cryptocurrency called DASH, most likely because DASH advertises itself as a highly secure with excellent privacy controls.

How Does GandCrab V5 Ransomware Work?

There are five different versions of the GandCrab ransomware, and each version features several revisions to improve GandCrab’s ability to resist detection and removal. The updates occurred as the malware matured and in response to countermeasures achieved by industry security experts.

Early versions of GandCrab that began infecting machines in January 2018 spread using malvertising. Malvertizing typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks. The initial malvertising campaign opened a pop-up window in the web browser warning of a missing font required to view the site, duping the user into installing the malware via this pop-up.

Other earlier versions of GandCrab also spread via malware-laden attachments sent in email spamming campaigns that leveraged a botnet of compromised computers for a coordinated, high volume attack. With targeted social engineering tricks, the emails targeted victims with subject lines such as “Unpaid invoice #XXX.”

Computer users who opened the malware attachments inadvertently permitted the ransomware to installed locally on their computer system, and thus became GandCrab victims. The malware included at least four known exploit toolkits that spread the GandCrab malware using vulnerabilities in Windows computers’ Visual Basic extensions (VBscript). Exploit kits can cause significant damage once inside a corporate network, spreading throughout the network onto vulnerable servers and computer systems.

The ransomware threat actors  ‘allowed’ the victims to decrypt one file of their choosing for ‘free,’ to prove that the decrypting tool worked and to gain the victim’s trust. Victims then were prompted to pay, with the hackers offering an immediate download of the GandCrab decryptor. The hackers even went as far as to provide 24/7 “free” online chat support.

In January 2019, version 5 of GandCrab implemented the RDP brute force attack as a delivery method. This was an approach commonly seen in Phobos, LockCrypt, and Qinymore ransomware. This change of attack methodology suggests there was an army of affiliates publishing regular code revisions to increase the impact of the malware

How Do I Prevent V5 GandCrab Ransomware?

Microsoft scrambled to patch the security exploits used by GandCrab, and in February 2018, a significant number of updates were released to patch the exploit. Updating antivirus and ensuring the Windows Operating System is up-to-date are essential in stopping GandCrab from spreading.

For the earlier campaigns, training employees to be on the lookout for malware phishing campaigns and social engineering tricks helped lessen the risk of exposure to GandCrab. Training should help users to understand what cybersecurity is and what to look out for in avoiding risks.

For the subsequent campaigns, GandCrab ransomware used brute force attacks on RDP. We highly recommend reviewing all internet-facing servers and ensuring that robust passwords are required by default and that no RDP connection is configured as unprotected by error.

The RDP port 3389 should be blocked by default on a perimeter firewall. If the server is provisioned on public cloud services, strict access controls should be configured, ensuring that IP access is restricted to predefined IP addresses only. All other port 3389 requests should be dropped at the firewall level.

Any server using RDP must have the Network Level Authentication (NLA) feature enabled under advanced RDP settings. This option forces the server to authenticate with Active Directory before approving an RDP log on. This way, only approved business users are granted access.

Never forward RDP ports through a perimeter firewall. RDP access to a corporate network should be over a secured VPN tunnel that utilizes multi-factor authentication for added security. This ensures that the firewall immediately drops any RDP packets, and the internal network is protected.

Several additional standard measures should be taken to protect against ransomware infection:

  • System Inventory – One of the first steps to follow, especially if you are a business, is to complete an inventory of all your business assets. This will include all digital assets such as servers, desktops, laptops, network equipment, and digital infrastructure. Cataloging assets will allow you to identify critical components and processes in case any systems are infected.
  • Risk Analysis – Conduct a cybersecurity risk analysis using the baseline created with the system inventory. This process will allow you to identify security weaknesses and create a priority list of what to fix first.
  • Backups – If the worst happens and you are impacted by ransomware, often the quickest resolution is to restore from backup. Regular, segregated offsite backups should be completed on a daily, weekly, and monthly rotation to reduce the likelihood of the backups also being infected.
  • Disaster Recovery – Create and test a disaster recovery plan, including a scenario where a total outage occurs due to ransomware.  This might be a high availability DR set up in a secondary site or with a cloud provider.
  • Penetration Testing – This is a technique of testing external and internal computer infrastructure against all known vulnerabilities. Pen testing and vulnerability scanning will generate a list of recommended fixes needed to harden the infrastructure.

How Do I Remove GandCrab V5 Ransomware?

In February 2018, a month after GandCrab first appeared, the cybersecurity company BitDefender released a free GandCrab decryption tool.  This action prompted the malware software engineers to release a new version of their ransomware with improved encryption technology.

An ‘arms race’ was seen between the malware authors and cybersecurity firms, triggering the consecutive release of multiple software revisions and various free decryption tools. As of today, the decryption tools work on GandCrab versions 1, 4, 5.01, and 5.2. There is no free decryption tool available for GandCrab versions 2 or 3.

As with all malware, unless you have a sound, uninfected backup, restoring the server to its original state is often a difficult task. Potentially you may be able to roll back files using Windows VSS shadow copies if you have that feature enabled, and the threat actor has not deleted them. You may also be able to roll back using a system restore save point.

If you are in the difficult position of not having a viable backup, and you urgently need your files, then the incident response experts at Tetra Defense can assist. We prioritize restoration to get businesses back to where they were before the ransomware attack.

We approach ransomware restoration and investigations simultaneously so you can return to normal business operations while you are getting answers. Our teams are standing by to focus on what matters most: your business!

We survey the ransomware outbreak and perform an initial assessment; this will identify the best course of action to fix the ransomware. When deemed necessary, we can conduct ransom negotiation and can facilitate ransom payment when there is no other option available for recovery.

Tetra Defense will remove the ransomware threat from your systems and conduct malware scans and network threat hunting. Each incident is leveraged to learn from the ransomware attack and discover the root cause. Once the decryption keys are obtained, we decrypt the data and get systems restored to full functionality as quickly as possible.

Example of GandCrab Ransom Note

Get Help with GandCrab Ransomware

If you’re ready to get help removing GandCrab ransomware from your critical systems, contact our incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.

Check out some related content on our blog: