In part one of our ‘Evolution of the Ransomware Landscape’ blog series we examined how ransomware grew quickly into the biggest cyberthreat to date in terms of both data loss as well as direct and indirect costs for victims. We also looked at a new trend for ransomware operations in 2019 that targeted US local government organizations. We will kick off part two with the introduction of a classic in the history of ransomware.
GandCrab - A Ransomware Classic
GandCrab has been the most commonly used malware in ransomware attacks for 2018 and part of 2019. The operator behind it established a RaaS model, selling the malware, infrastructure, enhancements, and patches using a license model.
This approach allows the threat actor to focus on malware and infrastructure development without having to worry about taking part in the attacks themselves. The RaaS customers employ the ransomware to perform attacks against their targets and split the ransom sum between themselves and the RaaS operator.
The RaaS operator hired developers on the notorious hacking forum exploit.in to assist with the development of new ransomware features and enhancements.
At the end of May 2019, the GandCrab RaaS operators publicly announced they were going to shut down operations and retire.
One month earlier, a new ransomware appeared by the name of Sodinokibi. Sodinokibi was used to deploy GandCrab the very first time it was spotted in the wild but in subsequent ransomware attacks, Sodinokibi was used on its own.
Sodinokibi bears striking similarities to GandCrab. While the code is significantly different, the TTPs employed by Sodinokibi are extremely similar to the ones used by GandCrab. The way the malware tries to hide its C2 infrastructure, the custom encryption mechanism, the setting to avoid targeting the Commonwealth of Independent States and the RaaS model all suggest a possible connection. In addition, a new entity was hiring developers on the exploit.in site for a new family of ransomware exactly at the time when Sodinokibi appeared.
The following is a list of reasons why analysts believe the operator behind GandCrab might be the same operator behind Sodinokibi:
There are striking similarities in the TTPs of the two kinds of malware. Sodinokibi first appeared deploying GandCrab.
Both ransomware types have settings to intentionally avoid targeting CIS countries (Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan).
GandCrab’s operator disappeared immediately after the appearance of a new operator for the new Sodinokibi RaaS.
Both threat actors implemented the same agile model for malware development and the same license/fee model for monetization.
As can be seen in the structured data attached to this report, there is an overlap of MITRE techniques employed by both malware families.
Analysts believe that the GandCrab operators might have pretended to retire and appear as a new threat actor in order to hide their tracks after all the attention that GandCrab attacks received from international media, security vendors and international law enforcement organizations.
Social Engineering Against a RaaS Operator: Scamming a Scammer
Europol, the FBI, and the other law enforcement agencies recently managed to crack GandCrab's master key. How did they do it?
In October of 2018, a Syrian man who had lost his children in the war made a desperate plea on Twitter after GandCrab encrypted the photos and videos of his children. He was begging the ransomware developers to please unlock his files stating that he barely had food to feed himself and his wife, let alone the $600 needed to pay the ransom amount.
The desperate pleas of the Syrian man, for whom those videos and photos were "all I have to live for. If I lose them there's no reason for me to even breathe anymore," struck a chord with the GandCrab operators and they decided to release 1,000 decryption keys for the pool of victims located in Syria.
Shortly thereafter, Bitdefender, Europol, FBI, and other agencies started coming out with GandCrab decryptor tools, leading up to the latest release of the master key for GandCrab versions 4 through 5.2. Some analysts are speculating that BitDefender, the FBI, Europol and the other agencies used the 1,000 decryption keys previously released by the GandCrab operators to calculate the entropy used by the random number generator employed for the master key.
The Twitter account of the Syrian man has only one day of activity, which was the day of the desperate pleas. While there is no acknowledgment from the organizations above about a social engineering operation against the GandCrab operator, clues point in that direction.
It appears the scammers got scammed.
Let’s end part 2 on this positive note. Stay tuned for the final part of our ransomware blog series, in which we will take a look at what some are calling ‘The New Age of Ransomware’.