GandCrab had a large underground forum presence and enjoyed attention from both fellow cybercriminals and security researchers. Looking back, we believe that its success was due to a combination of factors, from technical to partnering, marketing and servicing skills. Its growth continued almost right up until it ceased to operate in mid-2019. At that time, no one imagined that GandCrab would eventually grow to become the most prolific Ransomware-as-a-Service threat of 2018 and the first half of 2019. The GandCrab malware made its first appearance at the end of January 2018 and it didn’t take long for it to be discovered by the security community. While law enforcement faces a daunting challenge to bring the individuals responsible to justice, our industry’s knowledge, data and tooling should help with this task. Unfortunately, we find ourselves in a situation where most of the cybercriminals involved in ransomware can operate with a certain degree of impunity – ransomware developers are often in countries that make legal prosecution difficult, and affiliates are hard to catch and can easily move from one RaaS to another, continuing their extortion operations. Our research was fuelled by a sense that, as an industry, we must realize that we cannot stop cybercrime alone and that we should aim to do more than just malware analysis and the writing of detection rules, especially when it comes to fighting RaaS-type threats. This multi-angled approach gave us different ways to cook a GandCrab. Subsequently, to learn more about the actor behind GandCrab and its affiliates, we carried out extensive underground forum research. The hard-coded indicators gave us a method to link individual ransomware samples to affiliates and, by looking at hundreds of GandCrab samples at once, we gained even more interesting insights into the service model dynamics. Armed with these findings, we were able to exploit those mistakes and build a publicly available vaccine against GandCrab. Through technical analysis, we discovered several mistakes and indicators in the malware. This paper examines the GandCrab ransomware, the biggest Ransomware-as-a-Service (RaaS) threat seen in 2018 and the first half of 2019. Combining the sample timeline with a timeline of forum postings
0 kommentar(er)
