Home / malware GandCrab
First posted on 17 June 2019.
Source: SecurityHomeAliases :
There are no other names known for GandCrab.
Explanation :
The authors of this ransomware are very active and have released at least five versions of GandCrab to date. While there are no major differences between any two versions of this malware, the frequent changes show the time attackers are investing in maintaining and developing it.
GandCrab is also the first ransomware that demands payment in DASH cryptocurrency and utilizes the ".bit" top level domain (TLD). This TLD is not sanctioned by ICANN and it therefore provides an extra level of secrecy to the attackers.
As we mentioned in our previous articles on Black Ruby and Data Keeper, ransomware is still the favorite choice among the attackers for making money. GandCrab certainly supports this argument.
GandCrab is distributed via multiple spreading vectors, which include spam emails, exploit kits and other affiliated malware campaigns. GrandSoft and RIG are the two most commonly used exploit kits for distributing GandCrab along with the high number of malicious spam emails. These spam emails trick users into opening the file contained inside the attached ZIP archive, which is generally a script that downloads GandCrab ransomware and executes it.
The JavaScript file is highly obscured. Upon execution, it decodes a URL where GandCrab is hosted. The script then downloads the malware to a file on the disk and executes it.
The above URL seems to be hosted on a benign Chinese server that was probably compromised by the attackers and now is being used for distributing GandCrab ransomware binaries.
We will look into the latest version of GandCrab ransomware v2.3.1 having MD5: 4302AAC62E41F4355206D49257C3AAAE, which was distributed using the Flash RIG exploit kit. The file has a compilation date of April 9, 2018 according to the PE header.
The executable file is custom packed, which unpacks as a DLL with the internal name "encryption.dll" and uses a reflective DLL loading technique to load it into memory. The execution begins at DllEntryPoint, which is automatically call on by the system as soon as the DLL is loaded. (This reflective DLL loading technique is used in the recent version starting from v.2.0. Older versions of GandCrab v1.0 and v.1.1 simply unpack and execute from a newly allocated memory page with read-write and execute permission, which is not backed by any DLL.)
GandCrab starts with reconnaissance activity and collects the following information from the victim's machine:
- User name
- PC name
- Domain name
- Locale information
- Keyboard Layout
- Operating system name
- Operating system type
- Installed anti-virus software(s)
- Processor name and identifiers
- Drive types
- Available space on hard drives
- Public IP address.
During this reconnaissance, if GandCrab identifies a keyboard layout to be RUSSIAN it will terminate the execution immediately. GandCrab generates a unique Ransom-ID for each victim by calculating a CRC32 hash of the string formed by concatenating the volume serial number, processor name and processor identifier.
The computer domain name and Ransom-ID are used to create a named mutex that ensures only single instance of the ransomware is running at any given time.
The next step is to terminate all processes that may have locked handles for certain files that GandCrab wishes to encrypt.
GandCrab then decrypts the ransom note stored within the binary using simple XOR encryption. The XOR key is set to 0x5, which has not changed since the earlier version of this ransomware. The ransom note has a placeholder/marker "{USERID}" which gets substituted with the value of the Ransom-ID that was generated in the earlier stage.
Key Generation
RSA keys
GandCrab generates an ephemeral RSA 2048-bit key pair on each victim machine that will later be used to encrypt the AES 256-bit key and IV (initialization vector), which are used to encrypt user files. Separate AES keys are generated for each user files and are appended to the same file in an encrypted form. The RSA key pair is converted to base64 format, which is then added with other information collected from the victim machine. That gets encrypted with RC4 encryption using a pseudo random key, generated based on GetTickCount() and is sent to the server. The RC4 key is used as object name to open a new HTTP request handle for connecting to GandCrab's control server.
n the above code snippet, CryptGenKey() is called with algorithm Id CALG_RSA_KEYX for generating RSA key pair and a flag is set to 0x8000001, where upper 16 bits of 0x8000001 is 0x800, or decimal 2,048 for specifying the key length to be 2048 bit. If the function does not succeed in generating the RSA key, GandCrab tries to restart itself with elevated privileges.
GandCrab has implemented a routine to run commands with elevated privileges. To do this it begins by checking the WNDOWS version. If it's above XP, then it verifies the SID membership of the current process to check if it belongs to an administrator group. If not, it uses ShellExecuteExW() API with the verb "runas" and file to run "C:WindowsSystem32wmic.exe", to which it passes the parameter "process call create 'cmd /c start'". Here the function parameter is the full path of the current executable.
The complete command to execute with "runas" is C:WindowsSystem32wmic.exe process call create "cmd /c start"
Communication with server
GandCrab establishes communications with the control server twice throughout the complete course of its execution.
Network communication call graph
To establish a connection, it tries to resolve domain names to IP addresses using Windows' NSLOOKUP utility and hardcoded DNS server names. The IP address retrieved by NSLOOKUP will then be used to open a new connection to the server, communicate the data collected from the victim's machine, and receive commands to decide further actions like deleting itself from the machine.
NSLOOKUP is executed using the CreateProcess() API and all the outputs are redirected to a PIPE object created by GandCrab for inter-process communication. After executing the utility, it checks the output by reading from this PIPE object and looks for IP address-like strings. If no IP-like strings are found, GandCrab returns "fabian wosar <3". The return value is compared by the caller function and if it's equal to "fabian wosar <3", the domain resolution operation is repeated continuously with a pause every 10 seconds until a different string is received.
The following command is executed using CreateProcess() API
nslookup zonealarm.bit ns1.corp-servers.ru
nslookup ransomware.bit ns1.corp-servers.ru
nslookup zonealarm.bit ns2.corp-servers.ru
nslookup ransomware.bit ns2.corp-servers.ru
Final Steps
If it's running with administrator privileges, GandCrab tries to delete all shadow copies of user data, which are automatic backups of user files created by WINDOWS VSS (Volume Shadow Copy Service).
In GandCrab v2.3.1, we have seen another new functionality whereby it tries check if the current execution path contains "MICROSOFT". If not, it reboots the machine. On restart, GandCrab can execute automatically with the help of the one-time persistence key that was previously created. This key contains the executable path for the copy of GandCrab which is present in "%APPDATA%microsoft.exe".
Basically, in this version, GandCrab does not wait for the user to reboot the machine to execute - rather it forces the reboot and completes it execution activity without relying on the user's actions.
Ultimately, like all previous version, it opens the Tor download URL https://www.torproject.org/download/download-easy.html.en, providing the victim with a clear start to download the TOR browser so they can pay the ransom and recover their data.Solution :
Bitdefender has created a decryptor for GandCrab-ransomware up to version 5.2.
https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind/Last update 17 June 2019
