Earlier this month, command-and-control servers tied to the fast-growing GandCrab ransomware campaigns were seized by Romanian Police and Europol. But, criminals behind GandCrab don’t appear phased by the setback and have already tweaked the malware to keep ransomware payment coming in.
According to new research by Check Point, the group behind GandCrab has infected over 50,000 victims mostly in the U.S., U.K. and Scandinavia. And in the two months the ransomware crew has been in business, criminals have earned an impressive $600,000.
“GandCrab is the most prominent ransomware of 2018. By the numbers this ransomware is huge,” said Yaniv Balmas, group manager, security research at Check Point who compares the ransomware to the prolific Cerber malware. He said despite popular opinions that the sands have shifted away from ransomware to cyptojacking, they actually haven’t. “There are still very high infection rates. And it is still a very easy way for criminals to make money,” he said.
For those behind GandCrab, staying profitable and staying one-step ahead of white hats means adopting a never-before-seen agile malware development approach, said Check Point.
Check Point made the assessment after reviewing early incarnations of the GandCrab ransomware (1.0) and later versions (2.0).
“Comparing the two versions of GandCrab gives us a glimpse into the process by which a strain of ransomware evolves. The authors started by publishing the least well-built malware that could possibly work, and improved it as they went along. Given this, and given that this newest version was released within the week, the bottom line seems to be: It’s the year 2018, even ransomware is agile,” according to an upcoming report to be released by Check Point.
Early versions of the GandCrab were full of bugs and mistakes from a developers stand point, said Michael Kajiloti, team leader, malware research at Check Point. “They have been diligent about fixing issues as they pop up. They are clearly doing their own code review and fixing bugs reported in real-time, but also fixing unreported bugs in a very efficient manner.”
Much like Cerber, the hackers behind the malware simply rent their ransomware software, and are never engaged in the actual campaigns. This allows them to focus on malware development, and not the day to day infecting and collecting of ransomware. That development-focused approach is credited to Cerber’s success as well. Files are encrypted using the .CRAB extension with DASH cryptocurrency payments equal to $300 to $600 for each infection.
It is not clear who is behind GandCrab, but Check Point believes its likely Russia-based hacking group because instructions by the criminals forbid users of the ransomware to target systems where the keyboard layout is in Russian.
Earlier this month, security firm BitDefender released a free decryptor. However, Check Point said GandCrab’s developers quickly made changes to their product to render the decryptor tool useless.
“GandCrab itself is an under-engineered ransomware that manages to still be effective. For example, until recently, the malware accidentally kept local copies of its RSA private decryption key – the essential ingredient of the extortion – on the victim’s machine. This is the ransomware equivalent of someone locking you out of your own apartment and yet leaving a duplicate of the key for you under the doormat,” according to the authors of the Check Point report.
“If you monitor your internet traffic while you are infected for the private key, this means you can easily decrypt your files,” Balmas said. “The private key is encrypted in transit. But it is encrypted using the same password every time. And the password is embedded in the malware code.”
This flaw won’t last for long, suspects Check Point researchers.
“It is getting harder and harder to find flaws,” Kajiloti said.
Constant development has also helped GandCrab, in some instances, bypass signature-based AV engines. “Cosmetics and incremental code changes keep the core of the malware behavior essentially the same. This comes to show the core differentiator of dynamic analysis and heuristic-based detection, which is signature-less,” according to the Check Point report.
“With agile development and the infection rate and affiliates, GandCrab will keep making money,” Kajiloti said.